* these are my gentoo install steps on my former physical desktop computer. (steps duplicated and modified from gentoo_vm.wofl(renamed to 3*.wofl) file in the same dir)
* make virtualbox VM
  \ to install gentoo in virtualbox
  * create new virtual machine
    * linux
    * gentoo (64bit)
  * set 8G RAM
    \ 8192 MB
    \ any less and it would affect having /var/portage
  * HDD vdi 15G  dynamic!! (never use: fixed)
    \ so use dynamic here to avoid writing 15G at the start
    \ click to browse where to put it (for my case)
    \ also chose 15G instead of 12G so I've more space to store firefox ccache (yep definitely 12G is NOT ENOUGH!)
  * in System:
    * remove floppy from System
    * in Processor tab:
      * set 4 cores
      * enable PAE/NX in System->Processor
    * other defaults are:
      * Motherboard tab
        \ Boot order: CD/DVD and HardDisk
        \ Chipset: PIIX3
        \ Pointing Device: USB Tablet
        \ Extended Features:
          \ ticked Enable I/O APIC
          \ no efi (unticked)
          \ ticked Hardware Clock in UTC Time
      * Acceleration tab
        \ enable VT-x/AMD-V
        \ enable Nested Paging
  * in Storage:
    * add the ISO on the Empty CD below Controller: IDE
      \ //install-amd64-minimal-20141204.iso
      \ //admincd-amd64-20150319.iso
      \ admincd-amd64-20150326.iso
      * don't tick live cd/dvd
    * click Controller: SATA and enable: Use Host I/O Cache
    * set HDD to be SSD (aka nonrotational)
      * tick Solid-state Drive on the device below Controller: SATA
      * click OK
      * exit virtualbox, close window, and make sure there wasn't any other window open(maybe other running virtualboxes are ok)
      - edit .vbox file(it's in the folder with the same name as the name you gave to this virtualbox when you created it) search for nonrotational and add next to it:
        \ discard="true"
        \ XXX: this will shrink dynamic/fixed (yes either! tested! virtualbox 4.3.20) .vdi file when TRIM happens inside guest OS - this means lots of writes on the host though - so don't use this, unless you lack space and you're not on a SSD(on host)
        \ without this, hdparm -I /dev/sda  doesn't report TRIM as supported inside guest OS
        \ setting this to true will hurt you if you lvremove root volume even though it cost nothing to create it, the .vdi is 12G now, but after lvremove it will write 12G to get it down to like 200MB let's say. So for this reason, do not use discard! not using discard might cost only SSD write amplification because .vdi will never shrink; well whatever.
      * ok set discard="false"  for now! because we don't want the overhead of shrinking!!!
      * start virtualbox
  * in Network:
    * set Adapter 1, Attached to: NAT
      \ we'll use dhcp IPs given by virtualbox eg. 10.0.2.15
    - set Adapter 1, Attached to: Bridged Adapter
      \ XXX: the problem with this is that it requires my physical router be connected on my LAN in order for my ssh to virtualbox VM sessions to work (they use the LAN IPs) ie. unplugging LAN cable will freeze all ssh sessions and they time out after a few mins.
  * Serial Ports (to see dmesg on kernel oops/panics)
    * Port 1
      \ COM1, IRQ 4, I/O 0x3F8
      \ Port Mode: RAW File
      \ Port File Path: /tmp/lim2pwds_com1.txt
      - in kernel cmdline of the guest OS(so, later!) add: DONE: move this below!
        \ console=tty1,ttyS0,115200n8 earlyprintk=vga,serial,ttyS0,115200,keep
        \ done: well you can increase the speed actually, to: 115200  or maybe more, haven't tested with anything other than 9600
* install gentoo
  \ we're now gonna try a stable install (not the bleeding edge which was previously aka ~amd64  because me no likee compilations errorz) and also the stable hardened kernel, not the (non-hardened)git one!
  \ other features(leftover from previous versions of this file that you're reading): password before grub menu is displayed(which is same luks pwd as /boot which is in fact /but), password before booting an entry, password before editing an entry, and another luks pwd during boot for mounting rootfs (different pwd from /but).
  * boot from liveCD using boot params when prompted:
    * gentoo-nofb ipv6.disable=1 nodhcp   #SECONDBOOT (secondboot=things you need to do if you need to boot from CD again because booting after install failed or you took a break)
      \ XXX: gentoo-nofb is required or else it will lockup with the normal fb one when loading modules! unless using admincd.iso which seems to be working!
      \ XXX: nodhcp so you don't have to pkill dhcpcd due to some bug (but still have to stop it due to another bug)
      \ noipv6 is needed for gpg trying to access keyserver via ipv6 addresses
      \ there's no such option: noipv6
      \ use ipv6.disable=1  instead
    * /etc/init.d/rpcbind stop  #SECONDBOOT
      \ kill listening rpcbind (on eg. port 111 and others, nfs related )
    * setup networking (only when not using NAT in virtualbox, so do this when using Bridged)
      * /etc/init.d/dhcpcd stop #SECONDBOOT
        \ this works if you use nodhcp above
      * pkill dhcpcd
        \ needed if you didn't use nodhcp above
        \ https://bugs.gentoo.org/show_bug.cgi?id=526934#c2
      * fix net-setup first(on the 2014 iso, no newer one yet) #SECONDBOOT : https://bugs.gentoo.org/show_bug.cgi?id=536432
        \ yep this still needs to be fixed!!! with the admincd of 9 april 2015
        \ can't modify the file on the spot, read-only file system!
        * cp `which net-setup` .
        * nano -w net-setup  (vim exists on admincd so... vim net-setup +119 )
          \ alt+g, 119, enter
          \ End key, add the  \ 
          \ Ctrl+O, enter, Ctrl+X
        * run it as ./net-setup enp2s0  (the other one is enp3s0 and it's the one on top, as physical location)
          \ to use the one in current directory which we fixed!
      * net-setup enp2s0 #SECONDBOOT
        \ or use ifconfig to get the interface name to pass.
        \ use different IP here than what you'd use inside chroot setting up networking! (to allow different ssh fingerprints)
        \ for DNS use 8.8.8.8 (or better yet, since the google one lagged lately, use opendns: 208.67.222.222 ) and set search to none(press enter) or *
      * vim /etc/resolv.conf #SECONDBOOT
        \ nameserver 208.67.222.222
        \ nameserver 208.67.220.220
        \ #nameserver 192.168.1.1
    * see if net works  #SECONDBOOT
      * ping google.com
        \ to see it works
    * start using ssh to facilitate copy/paste operations #SECONDBOOT
      * passwd
        \ to set a root password
      * /etc/init.d/sshd start
      * how to now connect from host
        \ if you ssh for second boot, you'll neet to rm the line from your host's ~/.ssh/known_hosts or else you can't ssh due to WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! #SECONDBOOT vim ~/.ssh/known_hosts
        * ssh root@192.168.1.2
          \ it's the IP that you set in net-setup above
        - ssh ... if using NAT
          - this requires you have similar IP on host - NOPE, this is not the way, guest is under NAT afterall
            \ add it: sudo ip addr add 10.0.2.200/24 dev net0
            \ see it: ip addr   <- to see effect (not ifconfig -v)
            \ remove it: sudo ip addr del 10.0.2.200/24 dev net0
          * you need to port forward port 22
            \ http://ask.xmodulo.com/access-nat-guest-from-host-virtualbox.html
            * Machine->Settings->Network->Port Forwarding (button)
              \ Name: ssh
              \ Protocol: TCP
              \ Host IP: 127.0.0.20
              \ Host Port: 8822
              \ ^ (any unused port higher than 1024) unless u're running virtualbox as root(don't!)
              \ Guest IP: 10.0.2.15
              \ Guest Port: 22
          * ssh -v -p 8822 127.0.0.20 -l root
    * start this inside vm:
      \ dmesg -w
      \ and watch for segfaults (apparently cc1plus likes to do that - 3 times so far)
      \ note that you are using ssh terminal now, so putting this inside vm window is ok (or in another ssh session, non-chrooted)
    * partition disk
      * parted -a optimal /dev/sda
      * mktable gpt
        \mklabel=mktable  but mktable is more intuitive
        \ note: destroys all existing partitions (data is lost)
      * unit mib
      * creating the partitions
        \ src: https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Disks#Creating_the_partitions
        * make a 2MB grub bios partition that will be used by the GRUB2 boot loader later
          * mkpart primary 1 3
          * name 1 gruby
          * set 1 bios_grub on
          * print
        - when /boot isn't inside LVM
          - make boot
            * mkpart primary 3 131
            * name 2 but
          - make swap
            * mkpart primary 131 643
            * name 3 swap
          - make root
            * mkpart primary 131 7000
              \ using a 12G hdd
            - mkpart primary 643 -1
            * name 3 rootfs
            - name 4 rootfs
          - make boot partition bootable (apparently needed only for UEFI?)
            * set 2 but on
        - make LVM (with /boot inside lvm, grub can boot from this)
          * mkpart primary 3 -1
          * set 2 lvm on
          * name 2 lvmall
        * make LUKS partition for /but
          \ done: do I need to set lvm flag here? even though lvm is inside luks? - nope
          * mkpart primary 3 1027
          * name 2 buty
          - no: maybe set this to root or hidden flag (currently no flag is set) - i dno, this doesn't seem needed
            \ set 2 root on
            \ or
            \ set 2 hidden on
        * make LUKS partition for /
          \ this is so we can use different passwords - one at grub menu for mounting /but and one for kernel when it wants to mount /
          * mkpart primary 1027 998G
            \ should've probably been GB not G because: now Size: 950740MiB
          * name 3 lucky
        * print
        * q
    * create filesystems
      * LUKS
        * create
          * cryptsetup --verbose --verify-passphrase luksFormat --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5401 --use-random -- /dev/sda2
            \ to later change the password: cryptsetup --verbose --verify-passphrase --iter-time 502 luksChangeKey /dev/sda2   (note the crappy iter-time used this time around!)
            \ uppercase YES or else: Command failed with code 22: Invalid argument
            \ move mouse and press keys inside the VM (not ssh session) - unsure if mouse has any effect, or maybe just very little
            \ getting this error after 100% key generation:
            \ device-mapper: remove ioctl on temporary-cryptsetup-12589 failed: Device or resource busy
            \ Command successful.
            \ Note: cryptsetup: Option --allow-discards is allowed only for open operation.
            \ boot
          * cryptsetup --verbose --verify-passphrase luksFormat --cipher aes-xts-plain64 --key-size 512 --hash sha512 --iter-time 5401 --use-random -- /dev/sda3
            \ root
          - cryptsetup --verbose isLuks /dev/sda2 || echo no
            \ Command successful.
          * cryptsetup --verbose luksOpen /dev/sda2 luks_on_sda2_boot
            \ #SECONDBOOT DO THIS AFTER LVM BELOW:
            \ --allow-discards not needed!!!
          * cryptsetup --verbose luksOpen /dev/sda3 lvm_on_luks_on_sda3_root
            \ #SECONDBOOT DO THIS AFTER LVM BELOW:
            \ --allow-discards not needed!!!
        * backup header:
          * cryptsetup --verbose luksHeaderBackup /dev/sda2 --header-backup-file boot.luks.header
          * cryptsetup --verbose luksHeaderBackup /dev/sda3 --header-backup-file root.luks.header
          * now use scp to pull it out of vbox into the host i guess... TODO:
            * on HOST run this:
              * cd /home/emacs/luks.headers.backup/desktop
              * scp -P 22 -4vp root@192.168.1.2:/root/*.header .
                \ make sure: debug1: Exit status 0  not 1  (if 1 look above see what failed!)
              * ls -la
                \ 2 2meg files
      * LVM
        \ LVM aligns to MiB boundaries and allows discards by default. No special configuration is required. 
        \ src: https://wiki.gentoo.org/wiki/SSD#LVM
        \ also src: https://wiki.gentoo.org/wiki/LVM
        * lvmetad
          * stop lvmetad, before changing it from 0 to 1
            * /etc/init.d/lvm stop ; /etc/init.d/lvmetad stop
              \ #SECONDBOOT
        * set discards (to 0 as they are since HDD not SDD here) #SECONDBOOT
          * nano -w /etc/lvm/lvm.conf  (vim is available with admincd*.iso)
            \ NOTE: this is the first occurence in this .wofl file in which we're using an editor to edit a file, when using admincd*.iso 'vim' is available, otherwise use 'nano -w' (eg. when using minimalcd*.iso there's no vim)
            - Ctrl+W to search, for: issue_d
              \ issue_discards = 0
            * Ctrl+W use_lvmetad =
              \ Alt+W to next search (not needed if you include the equals above)
              \ use_lvmetad = 1
          * uncomment: default_data_alignment = 1   <- means 1MB
            \ and below: data_alignment_detection = 1  which means enabled
        - /etc/init.d/lvmetad stop
          \ to disable the warning:
          \ WARNING: lvmetad is running but disabled. Restart lvmetad before enabling it!
          \ when pvcreate is executed below
          \ --------------
          \ on another note: TODO: maybe we need to stop it and then set use_lvmetad=1 in /etc/lvm/lvm.conf and then start it again
          \ as the lvm.conf says:
          \ XXX: "    # If lvmetad has been running while use_lvmetad was 0, it MUST be stopped
          \ # before changing use_lvmetad to 1 and started again afterwards. "
          \ to read current value of use_lvmetad(which is 0) use this: lvm dumpconfig --type default global/use_lvmetad
          \ yep it's 0
        * start lvmetad (needed for grub, apparently! with luks)
          * /etc/init.d/lvm start
            \ #SECONDBOOT AFTER THIS DO THE cryptsetup luksOpen ABOVE
            \ starts lvm and lvmetad!
        * create physical volume
          - pvcreate --verbose /dev/sda2
          * pvcreate --verbose /dev/mapper/lvm_on_luks_on_sda3_root
        * check that first extent starts at the right place:
          - pvs /dev/sda2 -o+pe_start --units b
          * pvs /dev/mapper/lvm_on_luks_on_sda3_root -o+pe_start --units b
            \ 1st PE : 1048576B
            \ yep should be 1MiB
            \ src: http://tytso.livejournal.com/2009/02/20/
        * pvdisplay
          \ shows what we did
          \ With the pvdisplay command, an overview of all active physical volumes on the system can be obtained. 
        * create vg
          \ A volume group (VG) groups a number of physical volumes and show up as /dev/VG_NAME in the device file system. The name of a volume group is chosen by the administrator.
          * vgcreate --verbose vgall /dev/mapper/lvm_on_luks_on_sda3_root
          - vgcreate --verbose vgall /dev/sda2
        * pvdisplay
        * vgdisplay
        * make logical volumes
          \ Logical volumes are the final meta devices which are made available to the system, usually to create file systems on. They are created and managed in volume groups and show up as /dev/VG_NAME/LV_NAME.
          * lvcreate --verbose --discards passdown -L 1024M -n bootlvolbackup vgall
            \ TODO: make use of this backup to save contents probably before running genkernel?
            \ the boot logical volume backup - where we store a copy of the /dev/sda2 partition i guess
            \ XXX: there's a --discards passdown but seems to have no effect and is not necessary (only tested on non-luks)
          * lvcreate --verbose --discards passdown -l 100%FREE --name rootlvol vgall
            \ the root+home device
            \ this is how to remove it(even if not in /dev/mapper/): lvremove /dev/vgall/rootlvol
        * lvdisplay
      * boot
        \ TODO: see mkfs.btrfs --help  and -A option might be needed to align for SSD ?
        * mkfs.btrfs --metadata single /dev/mapper/luks_on_sda2_boot
          \ single because ssd, although this isn't needed because it's supposedly detected and set automatically; XXX: maybe not detected when luks (or when no TRIM? supported in .vbox file)
        - mkfs.btrfs --metadata single /dev/vgall/bootlvolbackup  TODO: do we actually mirror the entire partition contents ? or how else would we be able to detect stuff
        - mkfs.btrfs /dev/sda2
          \ btrfs boot 'cause ext2 is too easy
        - mkfs.ext2 /dev/sda2
      - swap
        * mkswap /dev/sda3
        * swapon /dev/sda3
      * root
        * mkfs.btrfs --metadata single /dev/vgall/rootlvol
        - mkfs.btrfs /dev/sda3
    * mount filesystems
      * prereq (not needed; needed only when luksOpen happens after lvm was already started)
        \ only if you have rebooted once since creating partitions/filesystems above, then you will get this when trying to mount:
        \ mount: special device /dev/vgall/rootlvol does not exist
        \ so to fix that do this:
        * nano -w /etc/lvm/lvm.conf
          * Ctrl+W to search, for: issue_d
            \ issue_discards = 1
        - /etc/init.d/lvmetad stop
        * lvchange --verbose --activate y --activationmode complete vgall
          \ lvscan <- for searches in this file that you're reading right now
          \ #SECONDBOOT XXX: this is not needed if you did LVM first and then LUKS(cryptsetup luksOpen) above!
      * mount -o async,relatime,noauto,rw,suid,dev,exec,nouser,loud,ssd,autodefrag,compress=lzo,datasum,datacow,space_cache,commit=300 /dev/vgall/rootlvol /mnt/gentoo
        \ #SECONDBOOT
        \ datasum and datacow are implied if compression is enabled; but nodatasum and/or nodatacow disables all compression. So by specifying datacow and datasum(with compress=lzo) we're just explicitly stating our defaults. Using mount will not show datasum and datacow since they are the default.
        \ XXX: not using: discard option(will use fstrim)
        \ /mnt/gentoo/ already exists
        \ we definitely want relatime instead of noatime ! see: man mount
        \ commit every 5 mins https://wiki.archlinux.org/index.php/Btrfs#Checkpoint_interval
        \ autodefrag Auto   defragmentation
        \ detects  small  random  writes into files and queues them up for
        \ the defrag process.  Works best for small files; not well-suited
        \ for large database workloads.
      * mkdir /mnt/gentoo/b{oo,u}t
        - mkdir /mnt/gentoo/boot
          \ leave an empty dummy /boot
        - mkdir /mnt/gentoo/but
          \ the real /boot dir is /but
      - mount -o async,relatime,noauto,rw,nosuid,nodev,noexec,nouser,loud,ssd,autodefrag,compress=lzo,datasum,datacow,space_cache,commit=300 /dev/vgall/bootlvol /mnt/gentoo/but
      * mount -o async,relatime,noauto,rw,nosuid,nodev,noexec,nouser,loud,ssd,autodefrag,compress=lzo,datasum,datacow,space_cache,commit=300 /dev/mapper/luks_on_sda2_boot /mnt/gentoo/but
        \ #SECONDBOOT
        \ XXX: not using: discard  (will use fstrim)
    * mkdir -p /mnt/gentoo/etc/lvm && cp -L /etc/lvm/lvm.conf /mnt/gentoo/etc/lvm/lvm.conf
      \ NIXME: wait, we need lvm2 installed with hardened uclibc - no more uclibc!! too buggy
      \ but we still need to use this config!
      \ this remembers to not use lvmetad (=0) and discards=1
      \ fixed?: we might need lvmetad to be used in system (not chroot or installCD modes)
    * cd /mnt/gentoo
      \ #SECONDBOOT
    * download and unpack stage 3
      * download stage3
        * execute: links http://trumpetti.atm.tut.fi/gentoo/releases/amd64/autobuilds/current-stage3-amd64-hardened+nomultilib/
        - execute: links http://trumpetti.atm.tut.fi/gentoo/releases/amd64/autobuilds/current-stage3-amd64-uclibc-hardened/
          \ or links http://www.gentoo.org/main/en/mirrors.xml (apparently https won't work with links; works with firefox)
        * download:
          \ by pressing D on file
          \ stage3-amd64-hardened+nomultilib-20150409.tar.bz2.DIGESTS.asc
          \ stage3-amd64-hardened+nomultilib-20150409.tar.bz2
          \ 203MB
        * exit
          \ q, Enter
      * verify integrity
        * get key
          * gpg --recv-keys 0xBB572E0E2D182910
            \ that created /root/.gnupg/gpg.conf  which is required for the following* to work(or you'll have to specify --keyserver keys.gnupg.net or subkeys.pgp.net  as the first option to gpg, before --recv-keys):
          * gpg --recv-keys 0xBB572E0E2D182910
            \ seems like a good idea to NOT put this in /etc/portage/gpg/ just in case this key gets compromised and used to sign, let's say. On the other hand the keys are probably signed by each other which would ensure higher trust.
        * check fingerprint
          * gpg --fingerprint
            \ should match with the one here:
            \ https://www.gentoo.org/proj/en/releng/#doc_chap5
            \ 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910
        * check key sigs
          * gpg --check-sigs
            \ should be 1 bad signature the 2009-08-25 one at the end (sig-3)
            \ sig!3  and sig-3 (the latter is the bad one)
            \ "The exclamation mark is only produced on --check-sigs, it's absent on 
            \ --list-sigs so it's an indication that the signature is good. All signatures 
            \ with --check-sigs should have the ! because signatures made by keys not in 
            \ your key ring are excluded.
            \ The digit is the indication of how much verification took place before signing 
            \ - when you sign a key, GnuPG asks you how carefully you verified the key, 3 
            \ is the highest level - very careful checking."
            \ from: http://lists.gnupg.org/pipermail/gnupg-users/2004-July/022910.html
        * check .asc sig
          * gpg --verify *.asc
            \ gpg: Good signature from "Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>" [unknown]
            \ ...
            \ same key fingerprint from above
        * check sha512sum of the tar
          * sha512sum -c *.asc
          \ first should be OK, second FAILED (because it's whirlpool not sha512)
          \ stage3-amd64-nomultilib-20141204.tar.bz2: OK
          \ stage3-amd64-nomultilib-20141204.tar.bz2: FAILED
      * unpack
        * tar xvjpf stage3-*.tar.bz2
    * config Portage
      * gpg validated snapshots
        \ from: https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Pulling_validated_portage_tree_snapshots
        \ Administrators can opt to only update the local portage tree with a cryptographically validated portage tree snapshot as released by the Gentoo infrastructure. This ensures that no rogue rsync mirror is adding unwanted code or packages in the tree that the system is downloading. 
        * mkdir -p /mnt/gentoo/etc/portage/gpg ; chmod 0700 /mnt/gentoo/etc/portage/gpg
        * gpg --homedir /mnt/gentoo/etc/portage/gpg --keyserver subkeys.pgp.net --recv-keys 0xDB6B8C1F96D8BF6D
          \ or keys.gnupg.net
        * gpg --homedir /mnt/gentoo/etc/portage/gpg --fingerprint
          \ DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D
          \ pub   4096R/96D8BF6D 2011-11-25 [expires: 2015-11-24]
          \ Key fingerprint = DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D
          \ uid       [ unknown] Gentoo Portage Snapshot Signing Key (Automated Signing Key)
          \ sub   4096R/C9189250 2011-11-25 [expires: 2015-11-24]
        * gpg -v --homedir /mnt/gentoo/etc/portage/gpg --check-sigs 0xDB6B8C1F96D8BF6D
          \ gpg: using PGP trust model
          \ pub   4096R/96D8BF6D 2011-11-25 [expires: 2015-11-24]
          \ uid       [ unknown] Gentoo Portage Snapshot Signing Key (Automated Signing Key)
          \ sig!3        96D8BF6D 2011-11-25  Gentoo Portage Snapshot Signing Key (Automated Signing Key)
          \ sub   4096R/C9189250 2011-11-25 [expires: 2015-11-24]
          \ sig!         96D8BF6D 2011-11-25  Gentoo Portage Snapshot Signing Key (Automated Signing Key)
          \ 7 signatures not checked due to missing keys
        * gpg --homedir /mnt/gentoo/etc/portage/gpg --edit-key 0xDB6B8C1F96D8BF6D trust
          \ 5, enter,y, q, enter
      * nano -w /mnt/gentoo/etc/portage/make.conf
        \ -w means don't wrap long lines
        \ for example settings see /mnt/gentoo/usr/share/portage/config/make.conf.example
        - to see what's already in effect, switch to another terminal(or a new ssh session) and
          \ can't do this yet, only later on inside chroot!
          \ emerge --info | less
        * append this: FEATURES="assume-digests binpkg-logs -buildpkg -buildsyspkg -candy -ccache cgroup -clean-logs collision-protect -compress-build-logs -compress-index -compressdebug config-protect-if-modified -digest -distcc -distcc-pump distlocks downgrade-backup ebuild-locks -fail-clean fakeroot fixlafiles force-mirror -force-prefix -getbinpkg -installsources ipc-sandbox -keeptemp -keepwork -lmirror merge-sync -metadata-transfer -mirror multilib-strict network-sandbox news -noauto -noclean -nodoc -noinfo -noman nostrip -notitles parallel-fetch parallel-install prelink-checksums preserve-libs -protect-owned sandbox sfperms -sign -skiprocheck split-elog split-log splitdebug strict -stricter -suidctl -test -test-fail-continue -unknown-features-filter unknown-features-warn unmerge-backup unmerge-logs -unmerge-orphans userfetch userpriv usersandbox -usersync webrsync-gpg -xattr"
          \ see all FEATURES flags in man make.conf
          \ these flags save binary packages: buildpkg buildsyspkg downgrade-backup unmerge-backup 
          \ When Portage is run as root, FEATURES="userfetch" will allow Portage to drop root privileges while fetching package sources. This is a small security improvement. 
          \ XXX: didn't add ccache just yet! (Note: ccache command isn't available on livecd(nor in the uncompressed stage3), so we can only add it later on inside chroot)
          \ FIXME: removed test due to extra requirements like tcl and other stuff that I don't currently understand; for btrfs-progs  lots of things are needed like X libs corefonts truetype etc.
          \ //FIXME: add back stricter and see what QA_ vars need to be fiddled with, eg. for ncurses to compile. man make.conf
        * append this: PORTAGE_GPG_DIR="/etc/portage/gpg"
        * append this: PORT_LOGDIR="/var/log/portage/ebuild.logs/"
        * append this: CPU_FLAGS_X86="3dnow 3dnowext mmx mmxext popcnt sse sse2 sse3 sse4a"
          \ to get the updated flags(XXX: but this cannot be done right now):
          \ emerge -1v app-portage/cpuinfo2cpuflags
          \ cpuinfo2cpuflags-x86
          * also add them to USE=  for compatibility (for 1 year) - ALREADY added below
            \ as  eselect news read 9  says
        - append this: ACCEPT_KEYWORDS="~amd64"
          \ to use bleeding egde packages
        * append this: ACCEPT_LICENSE="* -@EULA"
          \ this is the default which can be seen with emerge --info|less
          - ACCEPT_LICENSE="-* @FREE"
            \ allow only free software and doc to be installed
            \ src: https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Portage#Licenses
        * append this: INSTALL_MASK="/lib/systemd /lib32/systemd /lib64/systemd /usr/lib/systemd /usr/lib32/systemd /usr/lib64/systemd /etc/systemd"
          \ src: http://gentooexperimental.org/~patrick/weblog/archives/2014-02.html
        * replace the USE flags line (Ctrl+K to remove that line): 
          * USE="sse4a popcnt 3dnow 3dnowext X bindist btrfs crypt cryptsetup cscope dbus device-mapper      git gpg gpm gstreamer gtk3 jpeg lock mmx mmxext mosh-hardening pie     pulseaudio readline session sse sse2 sse3 ssp startup-notification     strong-security system-cairo system-icu system-jpeg system-libvpx     system-sqlite xcomposite -cdr -cgi -cvs -debug -dvdr -emacs     -firmware-loader -fortran -gnome -ipv6 -java -jit -kde -libssp -lua     -luajit -lvm1 -mclib -minimal -network-cron -nls -nopie -nossp -plymouth     -qt4 -racket -ruby -samba -static -static-libs -symlink -systemd -tcl     -test -thunar -unicode -vim-pager -wifi -yahoo -filter_audio libav consolekit policykit"
          \ online USE flags list+descriptions: https://www.gentoo.org/dyn/use-index.xml#doc_chap1
          \ there's ufed to show and sort flags! TODO: eventually run ufed to tidy up the flags(eg. sort) which breaks them on multiple lines though.
          \ device-mapper for grub, lvm2 (unsure if needed): "Enable support for device-mapper from sys-fs/lvm2"
          \ XXX: -libssp keep this disabled!
          \ -symlink to not update /usr/src/linux symlink to point to most recent kernel sources installed, this way using `eselect kernel list` and `eselect kernel set 2` is the way to change that symlink
          \ XXX: disabled debug flag because at least vim will create nfa_regexp_{debug,dump,run}.log files in current folder(!) on each vim invocation and append stuff to them. Will enable debug only when needed on a per-package basis.
          \ see: equery uses seamonkey  (after emerge -a app-portage/gentoolkit ) to see all flags used by seamonkey for example.
          \ A full description on the available USE flags can be found on the system in /usr/portage/profiles/use.desc
          \ or this https://www.gentoo.org/dyn/use-index.xml#doc_chap2
          \ switch terminal Alt+F3 (or get a new ssh session), less /mnt/gentoo/usr/portage/profiles/use.desc
          - emerge --info | grep ^USE
            \ to see current (profile's) USE contents
            \ can't do this yet, only later on inside chroot!
        * make sure CFLAGS line is: CFLAGS="-O2 -pipe -march=native -Wstack-protector -fstack-protector-all -g3"
          \ don't use -DDEBUG or else compiling gnutls and gcc will fail: https://bugs.gentoo.org/show_bug.cgi?id=545316#c12
          \ -fsanitize=address" can't include this fails with some -lasanp or something error whateverrrrr
          \ never -O0 , -O1 is good for gdb, -O2 if you want fast!
          \ not sure if -ggdb is better than -g3
          \ don't use any extra spaces, it's known to break
          \ # -fstack-protector-strong
          \ ^ that one apparently breaks compiler (some ./configure says C compiler cannot generate executables)
          \ more info:
          \ https://wiki.gentoo.org/wiki/GCC_optimization#Introduction
          \ https://gcc.gnu.org/onlinedocs/gcc/Invoking-GCC.html#Invoking-GCC
          \ https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html#Optimize-Options
        * append this to use 4 cores when make: MAKEOPTS="-j4"
        * disable rsync because it's insecure and can't verify authenticity, by appending in make.conf the following line: SYNC="rsync://127.0.0.3/"
          \ src: https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Portage#Updating_the_portage_tree
        * grub, append these two lines:
          \ # Standard PC (BIOS)
          \ GRUB_PLATFORMS="pc"
          \ for uefi on amd64 add: efi-64 (not needed in virtualbox)
        * append X stuff:
          \ INPUT_DEVICES="keyboard evdev" # synaptics" only on host(not VM) TODO: unsure if vmmouse or even mouse is needed! maybe not needed due to evdev!
          \ VIDEO_CARDS="radeon"
        * prepare for ccache later on
          \ add lines:
          \ #this is the default ccache dir, but it's great to state it, in case we wanna change it later, eg. when firefox compilation happens:
          * choose to set ccache into RAM(tmpfs) or on hdd:
            * hdd
              \ CCACHE_DIR="/ccache"
            - tmpfs
              \ CCACHE_DIR="/var/tmp/ccache"
          \ CCACHE_SIZE="155G"
          \ 5G seems to be the default if that line doesn't exist
          \ CCACHE_UMASK="0002"
          \ ^ https://bugs.gentoo.org/show_bug.cgi?id=492910
        * ensure git-r3 (git3-src) (well ebuild command) updates the git source folder with the right permissions to allow ebuild to be ran as normal user
          \ EVCS_UMASK="0002"
          * ebuild/emerge will fail with live ebuilds (eg. ebuild somefile.ebuild compile) when ran as normal user, after having been ran as root
            \ workaroundFIX: # chmod -cR g+w /usr/portage/distfiles/git3-src
            \ actual fix: need to run git as portage user, otherwise some files get run as the normal user, thus inheriting its user:group
            \ FIXME: (gentoo issue, well /usr/portage/eclass/git-r3.eclass): this still doesn't solve the problem when running ebuild for the first time as user X and then trying to run as user Y  will fail to update the git folder located at /usr/portage/distfiles/git3-src/ because user X:X owns the folder and others don't have write rights, so Y cannot write. I was thinking of replacing git invocations in git-r3.eclass with su invocations but sudo would be better(except, unlike su, it needs to be already installed) - su is bad because even with --preserve-environment  it will still clear $PATH and $IFS as you can see here:
            \ # echo $PATH ; su -c 'echo "$PATH"' -- emacs
            \ /usr/lib/ccache/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.3
            \ /bin:/usr/bin
            \ workaround: # su -c 'PATH="'"$PATH"'" ; IFS="'"$IFS"'"; echo "$PATH" "$IFS"' --preserve-environment -- emacs
            \ workaround for the user Y situation: # chown -cR portage:portage /usr/portage/distfiles/git3-src
        * save
          \ Ctrl+X, y, enter
        - nano -w /etc/portage/package.use/pambase  (created new file)
          \ add line:
          \ sys-auth/pambase -debug
          \ sys-libs/pam -debug
          - nano -w /etc/portage/package.use  (created new file)
            \ add line:
            \ sys-auth/pambase -debug
        * add a gentoo mirror
          \ by appending this line:
          \ GENTOO_MIRRORS="http://de-mirror.org/gentoo/ http://gd.tuwien.ac.at/opsys/linux/gentoo/ http://mirror.netcologne.de/gentoo/"
          \ in /mnt/gentoo/etc/portage/make.conf
          \ or by running this to manually select mirrors:
          \ mirrorselect -i -o >> /mnt/gentoo/etc/portage/make.conf
          \ or better to get the 3 fastest ones:
          \ mirrorselect -s3 -D -o
          \ this takes a long time,
          \ that gives the GENTOO_MIRRORS var on stdout, you need to copy it in make.conf
          \ more info: https://wiki.gentoo.org/wiki/GENTOO_MIRRORS
        - DON"T add a rsync mirror:
          \ mirrorselect -i -r -o >> /mnt/gentoo/etc/portage/make.conf
        * mkdir /mnt/gentoo/etc/portage/repos.conf/
        * nano -w /mnt/gentoo/etc/portage/repos.conf/gentoo.conf
          \ this doesn't exist!
          - Comment out the sync-type and sync-uri variables
            \ # sync-type = rsync
            \ # sync-uri = ...
          * write these lines:
            \ [DEFAULT]
            \ main-repo = gentoo
            \
            \ [gentoo]
            \ auto-sync = no
            \ sync-type =
            \ sync-uri =
            \
            \ #XXX: ok, the first two aren't needed, apparently! but just like the next 2 (sync-*) options(which are empty by default) we are making the defaults explicit! in the latter case it means sync-*  disabled! (see: man portage)
            \ #XXX: actually, due to  eselect news read 10  the default for auto-sync is yes! and sync-type can be webrsync but it will warn(when running cpuinfo2cpuflags-x86 at least) if sync-uri is empty! !!! Repository 'gentoo' has sync-type attribute, but is missing sync-uri attribute
    * copy DNS info
      * cp -L /etc/resolv.conf /mnt/gentoo/etc/
        \ use the -L option to the cp command. This ensures that, if /etc/resolv.conf is a symbolic link, that the link's target file is copied instead of the symbolic link itself. 
    * mount virtual stuffs into chroot
      \ more info: https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Base#Mounting_the_necessary_filesystems
      * make sure portage user is the same on livecd as on chroot
        * test "$(cat <(chroot /mnt/gentoo/ id portage))" = "$(cat <(id portage))" | echo "identical"
          \ if you see identical, carry on
          \ otherwise see the differences with:
          \ cat <(chroot /mnt/gentoo/ id portage) <(id portage)
          \ you need to use the chroot user id somehow. TODO (maybe)
      * mount -t tmpfs -o rw,nosuid,relatime,nodev,size=90%,mode=1777 tmpfs /mnt/gentoo/tmp/
        \ #SECONDBOOT
        \ //mount -t tmpfs tmpfs /mnt/gentoo/var/tmp/
        \ //OR mount -t tmpfs none /mnt/gentoo/tmp/
        \ can't really use noexec now can I?!
        \ size=7G because we have 8G RAM (in this current virtualbox VM now) size=90% is the same thing except that when you change ram size in vm this will resize accordingly! very much needed that!
        \ noatime implies nodiratime; but we better use relatime
        \ 1777 that 1 means sticky bit (t) which means (from man chmod):
        \ RESTRICTED DELETION FLAG OR STICKY BIT
        \ The  restricted  deletion  flag  or  sticky  bit is a single bit, whose
        \ interpretation depends on the file type.  For directories, it  prevents
        \ unprivileged  users  from  removing or renaming a file in the directory
        \ unless they  own  the  file  or  the  directory;  this  is  called  the
        \ restricted  deletion  flag  for the directory, and is commonly found on
        \ world-writable directories like /tmp.  For regular files on some  older
        \ systems,  the  bit saves the program's text image on the swap device so
        \ it will load more quickly when run; this is called the sticky bit.
      - mount --rbind /mnt/gentoo/tmp/ /mnt/gentoo/var/tmp/
        \ XXX: no need on desktop! there's plenty of space! (we do leave /tmp tho)
        \ nope#SECONDBOOT
        \ have /tmp be accessible from /var/tmp also
      - PORTAGE_TMPDIR can be further restricted (nope, not for this desktopPC)
        \ interesting read for portage tmpfs https://wiki.gentoo.org/wiki/Portage_TMPDIR_on_tmpfs
        \ the default portage tmpdir is /var/tmp (can be seen LATER with emerge --info|grep ^PORTAGE_TMPDIR ) but portage does it's magic MOSTLY in /var/tmp/portage (ccache portage stuff is in /var/tmp/ccache another subdir of PORTAGE_TMPDIR)
        - mkdir /mnt/gentoo/var/tmp/portage/
          \ don't worry about mkdir folder attributes here, fstab will override them later on, also the mount below enforces them
          \ unneeded due to x-mount.mkdir
        * mount -t tmpfs -o rw,nosuid,relatime,nodev,size=90%,mode=775,uid=portage,gid=portage,x-mount.mkdir=775 tmpfs /mnt/gentoo/var/tmp/portage/
          \ nope#SECONDBOOT
      * mount -t proc proc /mnt/gentoo/proc ; mount --rbind /sys /mnt/gentoo/sys ; mount --rbind /dev /mnt/gentoo/dev ; mount --rbind /run /mnt/gentoo/run
        \ #SECONDBOOT
        \ /run is needed for grub to talk to lvmetad
    - nano -w /mnt/gentoo/etc/env.d/00basic  (only on hardened uclibc)
      \ DON'T do this! but find a way to get rid of those warnings!
      \ to avoid this warning(on env-update):
      \ /sbin/ldconfig: You should remove `/lib' from `/etc/ld.so.conf'
      \ /sbin/ldconfig: You should remove `/usr/lib' from `/etc/ld.so.conf'
      \ so remove those from LDPATH there
      \ don't remove them: https://bugs.gentoo.org/show_bug.cgi?id=457592
      \ actually, those warnings are a lie of sorts, because if removed, revdep-rebuild(its replacement is: time emerge @preserved-rebuild) will keep rebuilding stuff ad infinitum.
      \ this warning doesn't appear on non-hardened yet they are included
    - for hardened uclibc, add /usr/lib/man-db to LDPATH
      \ in non-hardened man-db is located here /usr/lib64/man-db/ and LDPATH is this LDPATH='/lib64:/usr/lib64:/usr/local/lib64:/lib:/usr/lib:/usr/local/lib'
      \ but in hardened, /usr/lib/man-db and LDPATH='/lib:/usr/lib:/usr/local/lib'
      * nano -w /mnt/gentoo/etc/env.d/00basic
    * chrooting
      * nano -w /mnt/gentoo/root/.bash_profile
        \ [[ -f ~/.bashrc ]] && . ~/.bashrc
        \ note: the bashrc for user john will be updated to contain this line automatically when that user is created because of /etc/skel/.bash_profile containing it and it's from package app-shells/bash-4.3_p33-r2
      * nano -w /mnt/gentoo/root/.bashrc
        \ # contents:
        \ shopt -u cdspell
        \ # -1 works for bash 4.3+ not 4.2 (likely due to some readline bug)
        \ # "Numeric values less than  zero  result  in every  command  being  saved  on  the  history  list (there is no limit)":
        \ use this when on livecd and thus bash is 4.2
        \ export HISTSIZE=9999999
        \ # use this when updated to unstable 4.3 bash:
        \ #export HISTSIZE=-1
        \ # "Non-numeric  values  and numeric values less than zero inhibit truncation":
        \ export HISTFILESIZE=${HISTSIZE}
        \ unset HISTCONTROL
        \ unset HISTIGNORE
        \ export HISTTIMEFORMAT='%F %T '
        \ export FUNCNEST=30000
        \ unset GLOBIGNORE
        \ unset EMACS
        \ unset CDPATH
        \ 
        \ some info follows (u can skip this):
        \ looks like the bash version(even after sync'd) is outdated version 4.2.53(1)-release (x86_64-pc-linux-gnu) versus the one from my current manjaro linux version 4.3.30(1)-release and only the latter treats HISTSIZE=-1 correctly, the former doesn't allow UpArrow key to retrieve any commands and thus acts like there's no history, even though the commands are saved in .bash_history; THE ODD THING IS, THIS WORKS FINE FOR root ! but not for john user.
        \ so better use HISTSIZE=9999999  for now - seg faults if u used -1 and then updated to 999999 due to mixed content in .bash_history (the commented timestamp wasn't saved with -1) - looks like updating to readline-6.2_p5-r1 fixed that or is it  Installing (1 of 2) sys-libs/readline-6.3_p8-r1::gentoo ? weird, because then says Building package for sys-libs/readline-6.2_p5-r1 which is like what? maybe it saved the previous version? yet that is it (even though for the 2of2 for bash this didn't even appear, yet the prev. version is there: /usr/portage/packages/app-shells/bash-4.2_p53.tbz2 )
        \ bash needs updating(can do this only later on when booted in the system): emerge -a ">bash-4.3"  then u need to use dispatch-conf  to apply the  /etc/portage/package.accept_keywords  which means ~amd64 meaning use unstable bash version on amd64 architecture; then run that emerge again. To see what that U flag means when emerge lists packages with --ask, man emerge search for: --pretend \(-p\)
        \ the only problem is, u can't run emerge at this point in the installation.
      * chroot /mnt/gentoo /bin/bash --login
        \ #CHROOT
        \ #SECONDBOOT unneeded:do this first: cp /etc/mtab /mnt/gentoo/etc/mtab
        \ --login it first reads and executes commands from the file /etc/profile, if that file exists. After  reading that file, it looks for ~/.bash_profile, ~/.bash_login, and ~/.profile, in that order, and reads and executes commands from the first one  that exists  and  is  readable. (see man bash , /INVOCATION)
        \
        \ if you're doing this in existing linux (so not inside virtualbox with livecd/installcd) then the command is:
        \ env -i HOME=$HOME TERM=$TERM chroot /mnt/gentoo /bin/bash
        \ /usr/sbin/env-update
        \ to flush your environment
        \ as per at the end of this article: https://wiki.gentoo.org/wiki/Installation_alternatives#Building_parted_to_resize_partition
      - source /etc/profile 
        \ that bash -l does this
      - /usr/sbin/env-update
        \ this is optional(added by me), whatever it does(it regenerates /etc/profile.env from /etc/profile.d/*  and regens /etc/ld.so.cache), it doesn't change /etc/profile itself, but this would affect /etc/profile sourcing(which uses profile.env), nothing is changed from the default profile.env as I can tell.
      - source ~/.bashrc
        \ only makes sense if you're not doing this in a new installation ie. if you're rescuing
        \ nevermind, bash -l does this indirectly(by having .bash_profile source .bashrc)
      * export PS1="(chroot1) $PS1"
        \ #SECONDBOOT that's all, unneeded:+ do this: vim /etc/mtab and :%s/mnt\/gentoo//g  then :%s/\/\//\//g  then remove any lines with mnt(should be 4 lines) then remove the first line(rootfs ) and what's now the 5th line(tmpfs / tmpfs) and finally remove the last four lines (proc, /sys, /dev, /run) and jump to grub below (shift+8 on #GRUBY)
    * get portage
      * download but fail to gpg check:
        * time emerge-webrsync -v -k
        \ 2min2sec
        \ 62MB
        \ this supposedly checks gpg key, but wait there's no gpg inside chroot yet
        \ emerge-webrsync: error: cannot check signature: gpg binary not found
        \ can't run this now:
        \ emerge --ask app-crypt/gnupg
      * manually check sig from outside chroot
        * switch to another terminal or start a new ssh session to have access to the gpg command, and run this outside chroot:
          * gpg --verbose --homedir /mnt/gentoo/etc/portage/gpg --verify /mnt/gentoo/usr/portage/distfiles/portage-201*.tar.xz.gpgsig /mnt/gentoo/usr/portage/distfiles/portage-201*.tar.xz
            \ new:
            \ Version: GnuPG v2
            \ gpg: armor header: 
            \ gpg: Signature made Tue Feb 10 00:55:53 2015 UTC using RSA key ID C9189250
            \ gpg: using subkey C9189250 instead of primary key 96D8BF6D
            \ gpg: using PGP trust model
            \ gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [ultimate]
            \ gpg: binary signature, digest algorithm SHA1
            \ old:
            \ gpg: Signature made Thu Jan  8 00:55:21 2015 UTC using RSA key ID C9189250
            \ gpg: Good signature from "Gentoo Portage Snapshot Signing Key (Automated Signing Key)" [unknown]
            \ gpg: WARNING: This key is not certified with a trusted signature!
            \ gpg:          There is no indication that the signature belongs to the owner.
            \ Primary key fingerprint: DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D
            \      Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F  DF1C EC59 0EEA C918 9250
      * switch back to the chroot-ed terminal
      * temporarily remove webrsync-gpg from make.conf
        \ nano -w /etc/portage/make.conf  (you nolonger have vim here, because chroot-ed!)
        \ Ctrl+W webrsync, to position yourself on it and put a - in front of it
        \ ^ that edited the FEATURES line to NOT have webrsync-gpg or just put a - in front of it(better!)
        \ Ctrl+X, y, Enter
      * rerun:
        * but first, let's get rid of a warning:
          * mkdir -p /usr/portage/metadata/
          * nano -w /usr/portage/metadata/layout.conf
            \ masters = gentoo
        * time emerge-webrsync -v -k
          \ 39s
          \ FIXed: getting this warning:
          \ !!! Repository 'x-portage' is missing masters attribute in '/usr/portage/metadata/layout.conf'
          \ !!! Set 'masters = gentoo' in this file for future compatibility
      * put back webrsync-gpg from make.conf
        \ nano -w /etc/portage/make.conf
        \ edit the FEATURES line to have webrsync-gpg
    * fix re-reporting of warnings inside QA Notice block
      \ https://bugs.gentoo.org/show_bug.cgi?id=539848
      * nano -w /usr/lib/portage/python2.7/install-qa-check.d/90gcc-warnings
        \ Alt+G, 85
        \ comment out this line(using # ):
        \ f=$(LC_CTYPE=C LC_COLLATE=C "${grep_cmd}" -E "${joined_msgs}" "${PORTAGE_LOG_FILE}")
        \ add this line(indented properly, although not required 'cause this isn't python!):
        \ f=$(LC_CTYPE=C LC_COLLATE=C "${grep_cmd}" --invert-match -E $'^( \x1b\[33;01m\*\x1b\[0m |\x1b\[31;01m \* \x1b\[39;49;00m)' "${PORTAGE_LOG_FILE}" | LC_CTYPE=C LC_COLLATE=C "${grep_cmd}" -E "${joined_msgs}")
      * do same for 3.3 file
        * nano -w /usr/lib/portage/python3.3/install-qa-check.d/90gcc-warnings
    * select profile
      * eselect profile list
        \ already selected:
        \   [13]  hardened/linux/amd64/no-multilib *
        \ nope: do we need the selinux one? [23]  hardened/linux/amd64/no-multilib/selinux   (if yes, then needs flags changed too!)
        \old: [26]  hardened/linux/uclibc/amd64 *
      - select no-multilib (unless already selected)
        \ eselect profile set 17
        \ eselect profile list
        \ to see if it's the right one
        \ default/linux/amd64/13.0/no-multilib
    * configure locales XXX: only if not using uClib !!
      \ sys-libs/glibc-2.19-r1 (/etc/locale.gen)
      \ this means the uClib hardened gentoo doesn't have/use this! (right?)
      \ Do I need to hold off on any emerge --ask  invocations until after I've set up locale ?
      * nano -w /etc/locale.gen
        \ XXX: this doesn't exist in uclibc version!
        \ uncomment the first two
        \ en_US ISO-8859-1
        \ en_US.UTF-8 UTF-8
      * run: locale-gen
        \ XXX: this doesn't exist in uclibc-hardened version?!
      * locale -a
        \ XXX: this doesn't exist in uclibc version?!
        \ to verify
      * set the system-wide locale settings
        * eselect locale list
        * Select the en_US.utf8 one:
          * eselect locale set 5
      * env-update && source /etc/profile
      * Ctrl+R, PS1
        \ export PS1="(chroot1) $PS1"
    * timezone
      - for hardened uclibc, need to install this because it doesn't exist ie. /usr/share/zoneinfo/ folder
        * FEATURES='-test' emerge --ask sys-libs/timezone-data
          \ must disable test because it cannot change locale ('cause uclibc doesn't do /etc/locale.gen)
      * ls /usr/share/zoneinfo/
        \ FIXME: this doesn't exist in uclibchardened version?!
        \ sys-libs/timezone-data-2014i-r1 (/usr/share/zoneinfo)
      * echo "Europe/Brussels" > /etc/timezone
      * emerge --config sys-libs/timezone-data
        \ this needs fakeroot - NO it doesn't, but you still get the warning:
        \ !!! FEATURES=fakeroot is enabled, but the fakeroot binary is not installed.
    - emerge -1v app-portage/cpuinfo2cpuflags
      \ ran: cpuinfo2cpuflags-x86
      \ refreshed the above CPU_FLAGS and USE flags, so this doesn't have to be run again!
    * get portage
      \ TODO: do I need the unstable one? currently going with stable one!
      * time emerge -1avu \>=portage-2.2
        \ does nothing because 2.2.14 already installed and latest (stable one!)
        \ say no to add to favorites hmmm, i added -1 arg so nvm.
        \ unstable was version: 2.2.18
      * XXX: patches in /etc/portage/patches/ silently ignored when using symlinks to any folder within /root (but not for /home(or /home/user) due to o-rx for /root and o+rx for the latter) and userpriv in FEATURES because folder is inaccessible by portage:portage
        \ https://wiki.gentoo.org/index.php?title=%2Fetc%2Fportage%2Fpatches&diff=265028&oldid=200410
        * TODO: add portage patches that I manually edited in with nano above (and who knows what others i forget about at this moment)
    - if using unstable portage(2.2.18+) then remove SYNC setting from make.conf at this point!
      \ !!! SYNC setting found in make.conf.
      \ This setting is Deprecated and no longer used.  Please ensure your 'sync-type' and 'sync-uri' are set correctly in /etc/portage/repos.conf/gentoo.conf
      \ getting that ^ when running emerge anything (I think)
      * comment out the SYNC line:
        \ nano -w /etc/portage/make.conf
    * install ccache (3m18s)
      \ docsrc: https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Caching_compilation_objects
      * time emerge -av \>=ccache-3.2.1
        \ that adds ~amd64 keyword aka unstable... hmm i guess it's ok
        * dispatch-conf
        * rerun the above emerge
          \ 12s
      - time emerge -av dev-util/ccache
      * nano -w /etc/portage/make.conf
        \ change -ccache into ccache
      * nano -w ~/.bashrc
        \ export PATH="/usr/lib/ccache/bin:${PATH}:~/bin"
      * source /etc/profile ; source ~/.bashrc
      * Ctrl+R, PS1
        \ export PS1="(chroot1) $PS1"
      * mkdir ~/bin
        \ will add some scripts later, like dpaste for example.
      * to watch ccache in another (chrooted) terminal
        \ CCACHE_DIR="/var/tmp/ccache" watch -n1 -d -- ccache -s
        \ chrooted because ccache command is not available on live cd(admin cd currently; but neither install-cd has it)
        \ to chroot:
        \ chroot /mnt/gentoo /bin/bash --login
        \ export PS1="(chroot2) $PS1"
    * fakeroot (17sec)
      \ fakeroot in FEATURES requires fakeroot(8)
      \ in effect only when building as non-root user
      * time emerge --ask --verbose sys-apps/fakeroot
        \ will get this warning running emerge, until fakeroot is installed:
        \ !!! FEATURES=fakeroot is enabled, but the fakeroot binary is not installed.
    - install mosh to "replace" ssh (7m48s) - NOPE, maybe some other time
      \ connecting to remote(this VM) remote host only needs running ssh, mosh package installed, and utf8 locale set.  then connect to it via: $ mosh root@10.0.2.15 - the IP used above when set up networking
      * time emerge --ask -v net-misc/mosh
        - requires utf8 locales set to run. (already have them in hardened-nomultilib)
          \ echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
          \ locale-gen
          \ eselect locale set en_US.utf8
      * FIXME: port forward 60001 in VM
      * connect from host to guest(this VM)
        * mosh --ssh="ssh -p 8822" -- root@127.0.0.19
        - mosh doesn't work with port-forwarding!
          * tried:
            * put this file in /root/
              * vim ~/moshify
                \ #!/bin/bash
                \ echo "initial: $@"
                \ #remove second 'new' and '-s'
                \ set -- "`sed -re 's|^(.*)(new )+(.*)(new )+(.*)$|\1\2\3\5|' -e 's|^(.*)( -s)+(.*)$|\1\3|' <<< "$@" `"
                \ echo "after  : $@"
                \ mosh-server $@
              * chmod +x ~/moshify
            * try to connect:
              * mosh --server="./moshify new -i 127.0.0.19" --ssh="ssh -p 8822" -- root@127.0.0.19
                \ where 127.0.0.19 is the locally forwarded port on host, which forwards to the VM port 22 of ssh which has IP 10.0.2.15
                \ the local mosh-server listens inside the VM on 127.0.0.19 port 60001
                \ changing to 127.0.0.1 still fails
                \ changing to 10.0.2.15 still fails (yes in --server I mean)
                * it fails with:
                  \ mosh: Nothing received from server on UDP port 60001. [To quit: Ctrl-^ .]       
                * so why does this fail?! don't tell me I need to port forward 60001 on host too grr - well ofc I do, pf 60001 worked! and the --server isn't needed anymore
    - install tmux (2min12s)
      \ https://wiki.gentoo.org/wiki/Tmux
      \ TODO: check vim-syntax USE flag, for now know that it pull X libs and vim
      * time emerge --ask -v app-misc/tmux
    * the btrfs command (equery b btrfs shows which pkg) (3m1s)
      * time emerge -av sys-fs/btrfs-progs
        \ at most: 1m14s
    * install pfl (1m23s)
      \ https://wiki.gentoo.org/wiki/Pfl
      * time emerge -av pfl
      \ use e-file texthere   to find something in any package(even if not already installed)
      \ e-file cmdhere  instead of  equery b cmdhere  to find out which (non-installed!) package provides the command
    * install equery (11s)
      \ https://wiki.gentoo.org/wiki/Equery
      \ needed to run: revdep-rebuild or its replacement time emerge @preserved-rebuild
      * time emerge -av gentoolkit
      * examples:
        * equery b vim
          \ to find packages which provide vim command
          \ but vim is not installed so vim command doesn't exist at this moment so this will fail, use e-file vim  instead! (aka pfl package's e-file)
        * equery files alsa-lib | less
          \ to list all installed files of a package
    * time emerge -nav app-admin/sudo
      \ 7m38s
      - nano -w /etc/sudoers.d/john (NOTE: undid this: eg. removed file)
        \ %wheel ALL=(ALL) ALL
        \ now all users in group wheel can sudo (with their own password)
    * update gcc (even if using uClib)
      \ based one these instructions: https://wiki.gentoo.org/wiki/Upgrading_GCC#Short_Version
      * time emerge -av '>=sys-devel/gcc-4.9'
        \ answer y to make changes (adds ~amd64 keywords aka unstable, for this gcc)
        \ installed 4.9.2 (from 4.8.3)
        * dispatch-conf  (not needed currently)
          \ u
        * time emerge -av '>=sys-devel/gcc-4.9'
          \ 20m18s
          \ yep again, it will start this time!
          \ will fail if -DDEBUG is in CFLAGS!! https://bugs.gentoo.org/show_bug.cgi?id=545316#c12
          \ XXX: segfaults 3 times !! and still succeeded  (seen as cc1plus on dmesg)
      * gcc-config -l
      * gcc-config 6
        \  [6] x86_64-pc-linux-gnu-4.9.2
        \ pick the new one
      - XXX: at this point, for uclibc only, make sure that /etc/env.d/04gcc-x86_64-gentoo-linux-uclibc  has LDPATH set to eg. LDPATH="/usr/lib/gcc/x86_64-gentoo-linux-uclibc/4.9.2/"  otherwise you may get: can't load library 'libstdc++.so.6
      * env-update && source /etc/profile ; source ~/.bashrc
        \ looks like gcc-config already runs env-update!
      * Ctrl+R, PS1
        \ export PS1="(chroot1) $PS1"
      * time emerge --oneshot libtool  (unless uclibc, if uclibc do below:)
        \ 32s
        - this fails test phase with uclibc, so, do this instead:
          * emerge -a --autounmask-write -u '>libtool-2.4.3'
            * dispatch-conf
              \ u
            * emerge -a -u '>libtool-2.4.3'
      * keep old gcc?
        * if yes then: emerge -nav =gcc-4.8.4  (will add it to favorites, so depclean won't remove it next time)
        * if not then:
          * time emerge -a --depclean  (XXX: but I wanna keep the old gcc for now, so don't!)
            \ this will remove old gcc version (4.8.3 in this case)
      * time emerge @preserved-rebuild  (old version: revdep-rebuild)
        \ this is part of gentoolkit package (revdep-rebuild is)
        \ finds nothing to update, usually!
        - I have man and man-db broken, and man-db fails 1 tests
          * emerge -a -u '>man-db-2.6.6'
            * dispatch-conf
              \ u
            * emerge -a -u '>man-db-2.6.6'
              \ 2.7.1 fails 2 tests grrr
              \ looks like sh and bash give this error:
              \ shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
              \ this happens when the current folder got deleted, to fix just cd .  or cd / to a known existing directory
      - gcc-config -l
        \ that old one still in list? https://bugs.gentoo.org/show_bug.cgi?id=130772#c18
        * rm /etc/env.d/gcc/x86_64-pc-linux-gnu-4.8.3
          \ remove old one from list
          * for uclibc hardened:  
            \ rm /etc/env.d/gcc/x86_64-gentoo-linux-uclibc-4.8.3
            \ remove the 4.8.3 from:
            \ nano -w /etc/env.d/04gcc-x86_64-gentoo-linux-uclibc
            \ env-update && source /etc/profile
        * FEATURES="-test -stricter" emerge -a '>sys-libs/uclibc-0.9.33.2-r11'
        * FEATURES='-test' emerge @preserved-rebuild  (old cmd: revdep-rebuild)
          \ rebuilds gcc, man, man-db
          \ and fail
        * time emerge @preserved-rebuild  //revdep-rebuild, hmm same errors again? wtf
          \  * Checking dynamic linking consistency
          \ [ 30% ]  *   broken /usr/bin/man (requires libman-2.7.1.so (0x00000000)
          \ libmandb-2.7.1.so (0x00000000))
          \ [ 31% ]  *   broken /usr/bin/mandb (requires libman-2.7.1.so (0x00000000)
          \ libmandb-2.7.1.so (0x00000000))
          \ [ 50% ]  *   broken /usr/lib/gcc/x86_64-gentoo-linux-uclibc/4.9.2/libcilkrts.la (requires -lpthread)
          \ *   broken /usr/lib/gcc/x86_64-gentoo-linux-uclibc/4.9.2/libcilkrts.la (requires -ldl)
          \ [ 54% ]  *   broken /usr/lib/libltdl.la (requires -ldl)
          \ [ 100% ]     
          * looks like it's because I removed that /lib and /usr/lib folders, putting them back skips gcc in above list ^
          * and to fix man-db from being detected as broken, I've to also add /usr/lib/man-db/ to LDPATH TODO: tomorrow
        * gcc-config -l
          \ check that it was done
        * may also check if any other file is using the old one
          \ cd /etc/env.d && grep -r 4.8.3
          \ src: https://wiki.gentoo.org/wiki/Changing_the_CHOST_variable#Verifying_things_work
      * gcc --version
      - env-update && source /etc/profile
        \ to be sure
    * time emerge -av sys-apps/mlocate 
      \ 20s
      \ to have the locate command
    * update bash to fix the HISTSIZE=-1 bug as follows: (don't update .bashrc yet!)
      \ this updates readline to latest/unstable, which is used below when installing gnupg (XXX: unsure how affected this is, because doing them in reverse order then doing this emerge --update --ask @world  doesn't update gnupg at all so maybe it is using latest readline anyway)
      * time emerge -nav ">bash-4.3"
        \ --autounmask-write
      * dispatch-conf
        \ u - to use new
      * emerge -a ">bash-4.3"
        \ 1m18s
        \ To see what that U flag means when emerge lists packages with --ask, man emerge search for: --pretend \(-p\)
    * time emerge -av app-crypt/gnupg
      \ 2m3s
      \ for future emerge-webrsync -v -k  invocations
      - for uclibc might fail due to stricter, with 1 warning, so recompile like so:
        \ FEATURES='-stricter' emerge --ask app-crypt/gnupg
      * pinentry will fail with stricter, recompile(stricter is already disabled, ignore this step now):
        \ app-crypt/pinentry-0.9.0-r3  tested to fail
        \  * QA Notice: Package triggers severe warnings which indicate that it
        \ *            may exhibit random runtime failures.
        \ * pinentry-curses.c:432:8: warning: implicit declaration of function 'addnwstr' [-Wimplicit-function-declaration]
        \
        \ * Please do not file a Gentoo bug and instead report the above QA
        \ * issues directly to the upstream developers of this software.
        * time FEATURES="-stricter" emerge -av1 pinentry
    * replace udev with eudev (1m54s)
      \ do we need this?
      * time emerge -av '>=sys-fs/eudev-2.1'
        \ 44s
        \ this will add ~amd64 aka unstable, whatever, do it!
      - /etc/init.d/udev --nodeps restart
        \ unsure if this is needed at this time, or only when running the system normally (not from within chroot)
      - a test will fail https://github.com/gentoo/eudev/issues/101
        * rebuild with keeping working folder via:
          \ ebuild /usr/portage/sys-fs/eudev/eudev-2.1.1.ebuild merge
          \ it will only execute the steps it didn't already, so from test onwards (supposedly)
      - run this inside non-chrooted vm:  (i don't think it's needed tho hmm, but I did it anyway)
        \ /etc/init.d/udev --nodeps restart
        \ yeah this doesn't make sense because eudev binary is only inside chroot anyway!
    * add user john:
      * check /etc/skel/.bash_profile if it has the same include line that we added to /root/.bash_profile
        * diff -up /etc/skel/.bash_profile /root/.bash_profile
          \ all good
      * useradd -m -G users,wheel,audio,cdrom,video,usb,portage -s /bin/bash john
      * passwd john
    * get vim (~19m)
      - nano -w /etc/portage/package.use/vim
        \ put this line:
        \ app-editors/vim -debug
        \ this is just in case debug flag is enabled globally (whenever)
        \ must disable debug flag for vim to avoid creating of nfa_regexp_*.log files in current folder whenever vim gets invoked!  these files, especially nfa_regexp_run.log can get very big very fast eg. 200+ MB
      * time emerge -av app-editors/vim
        \ 6m55s
      - time emerge -av app-vim/vim-spell-en
        \ vim ~/.vimrc
        \ :setlocal spell spelllang=en
        \ avoid this becayse of too many red stuffs when editing make.conf
      * put in ~/.bashrc in root only (because john will be updated below):
        * vim ~/.bashrc
          \ EDITOR="/usr/bin/vim"
      * fix too dark blue with urxvt
        * vim ~/.vimrc  (new file), append this line:
          \ colorscheme torte
          \ " to allow for lines in edited files like this to take effect:
          \ " # vim: set ts=2:
          \ " set modeline
          \ " ok security vuln. don't set modeline! use securemodelines script (somehow)
      * done: actually use my real .vimrc here
        \ scp -P 22 -4vp .vimrc root@192.168.1.2:/mnt/gentoo/root
        \ changed, commented out: " set directory=/tmp/vim
        \ or else something had to create that dir on boot!
    * Midnight Commander
      * TODO: place my mc patches in /etc/portage/patches or something here, before emerge
      * time emerge -av app-misc/mc
        \ 2m37s
        \ from /var/log/portage/elog/summary.log :
        \ To enable exiting to latest working directory,
        * put this into your ~/.bashrc:  (john user will be updated later)
          \ source /usr/libexec/mc/mc.sh
    - add reboot/shutdown users (forget this!)
      \ for easy reboots
      * useradd -M -s /sbin/reboot --home /sbin -- reboot
      * passwd reboot
      \ can't login, because /sbin/reboot is not in /etc/shells
      \ XXX: now I can login, but won't allow me to reboot 'cause I'm not root, so forget it; definitely don't wanna add suid attribute!
      \ shutdown user already exists id=6 (but not the group)
      * vim /etc/shells
        \ append this line:
        \ /sbin/reboot
    * copy .bashrc for john
      \ cp ~/.bashrc /home/john/ && chown john /home/john/.bashrc
    * copy .vimrc for john
      \ cp ~/.vimrc /home/john && chown john /home/john/.vimrc
    * save nano in favs so it won't be removed by emerge --depclean
      \ emerge --noreplace app-editors/nano
    * fstab fixture
      * vim /etc/fstab
        \ just edit the template and add some stuff
        \ XXX: do not use discard in fstab or mount(or tunee2fs) because deleting a ton of files is expensive! use fstrim instead!! (also don't use fstrim for now, because vm is set to not support TRIM currently by having discard="false" or just not having discard="true" in .vbox file! did it so that it won't shrink the .vdi file because that costs writes on my host's SSD aka the real SSD)
        \ XXX: for btrfs fs_passno(last field) should be 0
        \ looks like this:
        \ /dev/mapper/luks_on_sda2_boot               /but           btrfs            async,relatime,noauto,rw,nosuid,nodev,noexec,nouser,loud,ssd,autodefrag,compress=lzo,datasum,datacow,space_cache,commit=300  1 0
        \ /dev/vgall/rootlvol               /               btrfs           async,relatime,noauto,rw,suid,dev,exec,nouser,loud,ssd,autodefrag,compress=lzo,datasum,datacow,space_cache,commit=300         0 0
        \ # do not add errors=remount-ro  because btrfs says: unrecognized mount option
        \ #/dev/SWAP              none            swap            sw              0 0
        \ /dev/cdrom              /mnt/cdrom      auto            noauto,ro       0 0
        \ /dev/fd0                /mnt/floppy     auto            noauto          0 0
        \ tmpfs                   /tmp            tmpfs           rw,nosuid,relatime,nodev,size=90%,mode=1777 0 0
        \ #tmpfs                   /var/tmp        tmpfs rw,nosuid,relatime,nodev,size=90%,mode=1777 0 0
        \ #tmpfs                   /var/tmp/portage        tmpfs   rw,nosuid,relatime,nodev,size=90%,mode=775,uid=portage,gid=portage,x-mount.mkdir=775 0 0
      - make sure /var/tmp/portage gets mounted on startup!
        \ not needed anymore due to x-mount.mkdir  (see man 8 mount)
        * vim /etc/local.d/portagemount.start
          \ mkdir /var/tmp/portage
          \ mount /var/tmp/portage
        * chmod +x /etc/local.d/portagemount.start 
        - already added
          \ rc-update add local default
    * Kernel
      \ https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel
      - time emerge -av sys-kernel/gentoo-sources  the git version is git-sources
      - time emerge -av sys-kernel/git-sources
        \ this works with ccache, no PIC error (I mean later when compiling it with genkernel!!)
      * time emerge -a sys-kernel/hardened-sources
        \ 3.18.9  (stable)
        \ 1m3s
      - time emerge -a '>=sys-kernel/hardened-sources-3.19.3'  (don't add -v because there are too many files to display)
        \ this is unstable 3.19.3-r1
        \ dispatch-conf
        \ XXX: NOPElooks like i may need hardened-sources kernel instead of git one, to avoid the compile error about PIC not being available  (when using genkernel to compile it! not now when emerging the sources!)
        \ ok that wasn't it, because I am getting it while compiling this now: code model kernel does not support PIC mode  - ok fix: env-update && source /etc/profile ; hash -r  ok nvm this doesn't work either(except for hardened-sources) but what does work is below if you search for PIC
      * time emerge -nav =sys-apps/gradm-3.1*
        \ that's unstable, so use dispatch-config, u, rerun above
        \ thecnically not needed because we won't enable grsec in kernel, yet(in this .wofl you're reading)
        \ 14s
      * compile
        * genkernel (because VM)
          * time FEATURES="-ccache" emerge --ask --verbose '>sys-kernel/genkernel-3.4.51'
            \ it's unstable, unsure if needed, but it worked before. 3.4.51.2 now
            \ 9m32s
            \ XXX: this installs lvm2 and cryptsetup too, due to cryptsetup USE flag
            * lmv2
              * dispatch-conf (zap new!, because it wants to restore the defaults!)
              * rc-update add lvm boot
            * cryptsetup (nothing to do here, go to next step)
              * TODO: see this example for luks mountpoint configuration: /etc/conf.d/dmcrypt
                \ TODO: add the /but here so we can mount it (aka luksOpen) faster than having to specify
                \ also use crypt_root=/dev/blah instead of real_root=luks:/dev/blah.
          - time emerge --ask sys-kernel/genkernel
            \ this might take a while
          * XXX: /but must be already mounted at this point!!
            \ df /but
            \ should show 1G total, if it's mounted
          * eselect kernel list
            \ // [1]   linux-4.0-rc5 *
            \   [1]   linux-3.18.9-hardened *
            \ ^ that's the only one in list at this point
          - mkdir /etc/ld.so.conf.d/
            \ otherwise genkernel would error like this:
            \ * ERROR: Could not copy ld.so.conf.d
            \ only affects hardened uClibc
            \ TODO: report this and move it far up from here
          * XXX: WARNING: don't use --mrproper below if you already have a .config in the folder somehow (normally you wouldn't if you followed all the steps above in a first time install)
          - must not use ccache, or else we hit this error (this with hardened-sources only, not with git-sources) - this doesn't seem to apply anymore to hardened-sources, at least not after you env-update && source /etc/profile ; hash -r
            \ XXX: error: code model kernel does not support PIC mode
            \ fix that by: NOPE this doesn't work! (well compiling x11-drivers/xf86-video-virtualbox-4.3.26)
            \ env-update ; source /etc/profile ; hash -r ; CCACHE_DIR="/var/tmp/ccache/" ccache -C
            \ don't pass -z to ccache because we wanna keep statistics
            \ OR (this should work:) env-update && source /etc/profile && echo $PATH && time FEATURES="-ccache" emerge -av x11-base/xorg-drivers
            \ so, either pass a PATH after time and before genkernel below, a PATH which doesn't include /usr/lib/ccache/bin (as was already set above, search for: ccache- )
            \ or just somehow make sure which gcc isn't ccache's gcc
          * radeon needs its firmware
            \ ie. not for virtualbox!!
            * time emerge -nav x11-drivers/radeon-ucode
              \ this gives that radeon/R700_rlc.bin which dmesg reports failed with error -2  by placing it in /lib/firmware/radeon/R700_rlc.bin  after installing that package!
            * TODO/FIXME: https://wiki.gentoo.org/wiki/Radeon#Firmware  to see how to remove all other unneeded firmwares!
          * source /etc/profile
            \ to get rid of PATH from ~/.bashrc pointing at ccache's bin and thus no PIC error
          * time FEATURES="-ccache" genkernel --menuconfig all --bootdir="/but" --install --symlink --no-splash --no-mountboot --makeopts="-j4 V=0" --no-keymap --lvm  --no-mdadm --no-dmraid --no-zfs --no-multipath --no-iscsi --disklabel --luks --no-gpg --no-netboot --no-unionfs --kernname=genkernel --no-firmware --no-integrated-initramfs --compress-initramfs --compress-initrd --compress-initramfs-type=best --loglevel=5 --color --mrproper --clean --no-postclear
            \ DO NOT RERUN THIS ^ ONCE YOU EXITED!!!!! it will clear your .config !!! because --mrproper !!
            \ no ccache, to avoid that PIC error because ccache 3.2+(i think) doesn't pass -D__KERNEL__ var or something like that, see bug: https://bugs.gentoo.org/show_bug.cgi?id=535984
            \ WARNING: after successfuly running genkernel, you have to re-run grub2-mkconfig (which we do later if you follow this guide thingy) ! (booting the previous kernel still works though, because grub.cfg isn't changed and all previous kernel files are kept in /but and are available in a grub submenu called Advanced at boot!)
            \ 13m7s
            \ #XXX: note that --bootloader=grub  uses grub.conf instead of the new name(as per `info grub`) of grub.cfg !! ergo it will fail
            \ replace --mrproper and --clean with --no-clean only if not the first time running this!
            \ compiles a kernel that supports almost all hardware, this compilation will take quite a while to finish! 
            \ Once genkernel completes, a kernel, full set of modules and initial ram disk (initramfs) will be created.
            * reminder of steps after boot needed to regen kernel:  
              * luksOpen the sda2 luks device
              * mount /but
              * cd /usr/src/linux ; make nconfig
                * change stuff
                * exit and save
              * genkernel (without any clean or mrproper options!!  no-clean no-mrproper yes!)
              * rerun grub2-mkconfig command
              * umount /but
              * luksClose
              * ready to: reboot & exit
            * while in MENUCONFIG:
            * CONFIG_DEBUG_FS
              \ to have access to radeon temperatures in /sys/kernel/debug/dri/1/radeon_pm_info
              * Kernel hacking -> Compile-time checks and compiler options -> Debug Filesystem
                \ select it [*]
            * usb keyboard detection at the luks prompt (or else you have no keyboard, unless you plug a PS2 one):
              * Device Drivers -> USB support  ---> {*} Support for Host-side USB
                \ make it Y not M
              * Device Drivers -> HID support  ---> USB HID support  ---> <*> USB HID transport layer 
                \ make it Y now, not M
              * Device Drivers -> USB support  ---> <*>     EHCI HCD (USB 2.0) support
                \ make it Y not M!
              * Device Drivers -> USB support  ---> <*>     OHCI HCD (USB 1.1) support
                \ make it Y not M!
              * with just the above 4, usb keyboard is still dead at luks prompt, works afterwards though
              * make this happen, in Device Drivers -> USB support  --->
                \ {*}     Generic EHCI driver for a platform device
                \ <*>       OHCI support for PCI-bus USB controllers
                \ {*}       Generic OHCI driver for a platform device
                \ <*>     UHCI HCD (most Intel and VIA) support
              * now the usb keyboard should work at luks prompt before mounting /
            * for radeon driver to work in kernel:
              \ aka for KMS to work; also this in dmesg [drm:rv770_init] *ERROR* Failed to load firmware!
              * this is already selected:
                \ [*]   Include in-kernel firmware blobs in kernel binary 
              * set the firmware .bin to:
                * ()    External firmware blobs to build into the kernel binary
                  \ radeon/R700_rlc.bin radeon/RV770_smc.bin radeon/RV770_uvd.bin
                  \ if u have different card, then more/different firmware files to add ^ above, see: https://wiki.gentoo.org/wiki/Radeon#Firmware
                  * a new item appears:
                    * (firmware) Firmware blobs root directory (NEW) 
                      \ set it to this:
                      \ /lib/firmware/
                      \ it's where x11-drivers/radeon-ucode package put all the .bin firmwares.
              * build these as Y not M (not modules!)
                * Device Drivers  ---> Graphics support  ---> 
                  * Direct Rendering Manager  ---> 
                    \ can deselect all others in this screen
                    * <*> Direct Rendering Manager (XFree86 4.1.0 and higher DRI support)
                    * <*> ATI Radeon
                  * Frame buffer Devices  ---> 
                    * -*- Support for frame buffer devices  --->
                    * <*> ATI Radeon display support 
                      \ this might not be needed at all!! according to wiki: it is deselected!
                    * [*]   DDC/I2C for ATI Radeon support
                    * [*]   Support for backlight control
                    * [*]   Lots of debug output from Radeon driver
                    * these were preselected
                      \ can remove all others
                      * [*] VESA VGA graphics support
                      * [*] EFI-based Framebuffer Support
                  * Console display driver support  ---> 
                    \ optional but I did it anyway
                    * [*]   Enable Scrollback Buffer in System RAM
                    * (1024)  Scrollback Buffer Size (in KB)
            * disable user firmware loader, by doing the following:
              \ why disable? https://wiki.gentoo.org/wiki/Udev/upgrade#udev_216_to_217
              * disable CONFIG_DELL_RBU which disables CONFIG_FW_LOADER_USER_HELPER  (well I mean it doesn't force select it automatically, when disabled)
                \ Firmware Drivers  ---> BIOS update support for DELL systems via sysfs
            * don't forget to enable BTRFS in kernel (not as module, to be sure) - it's in Filesystems->BTRFS enable all suboptions.
            * xfce-extra/xfce4-power-manager-1.3.0 needs kernel option CONFIG_TIMER_STATS to be set: *   CONFIG_TIMER_STATS:  is not set when it should be.
              \ Kernel hacking  ---> Collect kernel timers statistics
            * TODO: set CONFIG_GRKERNSEC=y
              \ and other suboptions... TODO:
            * Exit menu and Save, compiling will commence automatically!
              \ NOTE: this needs grub2-mkconfig to run to make it so... which we do later
            * not outdated: if you're in the system already(ie. rebooted once) run this instead:
              \ (basically remove the --mrproper --clean and replace with --no-clean --oldconfig)  and have /but mounted!!(well, just so I don't forget, using --mountboot)
              \ FEATURES="-ccache" genkernel --menuconfig all --bootdir="/but" --install --symlink --no-splash --makeopts="-j4 V=0" --no-keymap --lvm  --no-mdadm --no-dmraid --no-zfs --no-multipath --no-iscsi --disklabel --luks --no-gpg --no-netboot --no-unionfs --kernname=genkernel --no-firmware --no-integrated-initramfs --compress-initramfs --compress-initrd --compress-initramfs-type=best --loglevel=5 --color --no-clean --oldconfig --no-mountboot --no-postclear --no-mrproper
              \ # --no-postclear won't delete the busybox and lvm2 that were just built every time genkernel is ran.
              \ # --kernname=genkernel  should be! otherwise /etc/grub.d/10_linux will not find the initramfs image due to hardcoded stuff. FIXME ? or just use --bootloader=grub
              \ # --oldconfig implies --no-clean which in turn implies --no-mrproper; it's also OLDCONFIG="yes" by default in /etc/genkernel.conf ; also this implies (they say in that .conf comments) that if clean is NO, it won't copy over any configuration file(from /etc/kernels/), it will use what's there(the .config) instead. But I dno how true that is because I'm seeing this message: * Linux Kernel 3.17.7-gentoo for x86_64...              * .. with config file /etc/kernels/kernel-config-x86_64-3.17.7-gentoo
          - ls /boot/kernel* /boot/initramfs*
            \ DON'T need this for grub2 (because auto detected)
            \ Write down the names of the kernel and initrd as this information is used when the boot loader configuration file is edited.
            \ kernel-genkernel-x86_64-3.17.7-gentoo
            \ initramfs-genkernel-x86_64-3.17.7-gentoo
        * manually (if you didn't do genkernel above) TODO: incomplete and outdated!
          * initramfs - dracut
            * /etc/dracut.conf.d/my.conf
              \ dracutmodules+="btrfs caps rootfs-block crypt dm crypt-gpg lvm i18n kernel-modules terminfo udev-rules usrmount base fs-lib shutdown biosdevname caps"
              \ #fstab-sys
              \ #crypt depends on dm, requires sys-fs/cryptsetup
              \ #crypt-gpg depends on crypt, requires app-crypt/gnupg
              \ #biosdevname requires sys-apps/biosdevname
              \ #btrfs requires sys-fs/btrfs-progs
              \ omit_dracutmodules+="rpmversion convertfs resume securityfs img-lib dmraid dmsquash-live gensplash iscsi livenet mdraid multipath nbd nfs plymouth ssh-client syslog debug ifcfg network selinux url-lib dash"
              \ hostonly="yes"
            * run:
              \ dracut
      - kernel modules
        \ unsure if this is needed - apparently it's not (genkernel does this automatically)
        \ https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel#Kernel_modules
    * System
      \ https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/System
      * network
        * time emerge -av sys-apps/biosdevname
          \ otherwise eth0 remains eth0 apparently, with hardened uclibc
          \ 22s
        * vim /etc/conf.d/hostname
          \ ie. tux
        * for extra options(like setting domain name to homenetwork) if needed, see:
          \ https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/System#Host_and_domain_information
        * emerge --ask --noreplace net-misc/netifrc
          \ this adds it to favs.
        * vim /etc/conf.d/net
          \ new file!
          - dhcp  (needs only p2p1)
            \ #config_eth0="dhcp"
            \ #config_enp2s0="dhcp"
            \ config_p2p1="dhcp"
          * if static IP
            \ use different IP name here than what you used on liveCD, so that you don't have to edit out the ~/.ssh/known_hosts line due to different fingerprint when ssh-ing later on
            \ The /etc/conf.d/net file does not exist by default, so needs to be created.
            \ #config_eth0="192.168.0.2 netmask 255.255.255.0 brd 192.168.0.255"
            \ #routes_eth0="default via 192.168.0.1"
            \ config_enp2s0="192.168.1.2 netmask 255.255.255.0 brd 192.168.1.255"
            \ routes_enp2s0="default via 192.168.1.1"
            \ #config_p2p1="192.168.1.2 netmask 255.255.255.0 brd 192.168.1.255"
            \ #routes_p2p1="default via 192.168.1.1"
            \ turns out these enp2s0 and enp3s0 cards in my desktop don't get transformed into p2p1 -like bios names!
        * cd /etc/init.d
        - // ln -s net.lo net.eth0
          \ in case the below 2 fail (they did with hardened uclibc)
        * // ln -s net.lo net.enp2s0
        - ln -s net.lo net.p2p1
        - //rc-update add net.eth0 default
        * rc-update add net.enp2s0 default
        - rc-update add net.p2p1 default
          \ XXX: this p2p1 appears instead of enp0s3 due to sys-apps/biosdevname being installed !
        * note: in the future if you want to change any of these, manually that is: rc-update -u  to regen dep tree! NOT ENOUGH: still needs to explicitly: rc-update add net.enp2s0 default
        * vim /etc/hosts   APPEND these NEW lines:
          \ # This defines the current system and must be set
          \ #127.0.0.1     tux.homenetwork tux localhost
          \ looks like this is already set to localhost, so append the following lines:
          \ 127.0.0.1 localhost tux
          \ #^ replace that one with this,  or comment out existing one.
          \ ::1 localhost tux
          \ #^ you must have this ipv6 stuff(even if USE=-ipv6) because `hostname -f` will otherwise ask the dns server everytime you execute that(eg. startx)!!!
          \ 127.0.0.3 blockedHost
      * set root password (inside chroot) - don't skip this
        \ passwd
      * init and boot config
        * vim /etc/rc.conf
          \ modify/uncomment:
          \ rc_start_wait=100
          \ #UNICODE="NO" #looks like it's lowercase by default:
          \ unicode="NO"
        - vim /etc/conf.d/keymaps
          \ nothing to change
        - vim /etc/conf.d/hwclock
          \ clock="UTC"  (already set)
        * rc-update add gpm default
          \ ensure gpm starts everytime on startup
      * installing tools
        * lsof
          * time emerge -av sys-process/lsof
            \ 10s
        * get a syslogger
          * time emerge --ask --verbose app-admin/metalog
            \ 47s
          * rc-update add metalog default
        * get a cron
          * time emerge -av sys-process/cronie
            \ 26s (with time spent in --ask)
          * rc-update add cronie default
        * to be able to ssh after reboot
          * rc-update add sshd default
        * delete some systemd leftover files from stage3
          * rm -vrf /usr/lib{,64}/systemd
          * rm -vrf /usr/lib64/debug/lib/systemd
          * rm -vrf /usr/lib64/portage/python{2.7,3.3}/install-qa-check.d/*systemd
          * rm -vrf /lib64/netifrc/sh/systemd-wrapper.sh
        * add gdb
          \ sys-devel/gdb
          * time emerge -nav sys-devel/gdb
            \ 3m
      * bootloader
        * set accept flags (apparently this is needed to get the git package aka 9999 , and that ~amd64 thing in make.conf is unstable but not as unstable as the git version)
          - mkdir -p /etc/portage/package.accept_keywords
            \ ok well the file with this name already exists(due to us not using ~amd64 in make.conf), so we can just append to it
          * vim /etc/portage/package.accept_keywords
            \ =sys-boot/grub-9999-r1 **
        * set USE flags (for future emerges too)
          \ src: https://wiki.gentoo.org/wiki//etc/portage/package.use
          * mkdir /etc/portage/package.use/
            \ already exists with iputils file
          * vim /etc/portage/package.use/grub
            \ sys-boot/grub -themes debug mount device-mapper -fonts
        * set FEATURES flags (for future emerges too)
          \ src: https://wiki.gentoo.org/wiki//etc/portage/env
          * vim /etc/portage/package.env
            \ sys-boot/grub grub.conf
          * mkdir /etc/portage/env
          * vim /etc/portage/env/grub.conf
            \ FEATURES="-stricter"
            \ because of this: https://bugs.gentoo.org/show_bug.cgi?id=539606
        - time USE="debug mount device-mapper -themes" FEATURES="-stricter" emerge -av =sys-boot/grub-9999-r1
        * make sure the /etc/portage/patches folder contains the grub patches!!!
          \ so we don't have to do the sed actions below AND XXX: also when updating, the sed action would have to be repeated!!!
          \ using emacs instead of john here(because that what I really name my username:P ok dont hack me :)) ):
          * mkdir -p /home/a/patches/portage/sys-boot
          * ln -s /home/a/patches/portage/ /etc/portage/patches
          * mkdir -p /home/a/patches/portage/sys-boot/grub-9999-r1:2
          * pushd /home/a/patches/portage/sys-boot
          * ln -rs grub-9999-r1:2 grub-9999-r1
          * ln -rs grub-9999-r1 grub-9999
          * ln -rs grub-9999 grub
          * run this on host (not within ssh!)
            * scp -24vp -P 22 "/home/emacs/coostomhuston/system/gentoo/rootfs/home/emacs/patches/portage/sys-boot/grub-9999-r1:2"/* root@192.168.1.2:'/mnt/gentoo/home/a/patches/portage/sys-boot/grub-9999-r1:2'
              \ the * means *.patch actually, and there are two!
          * ls -la grub
            \ verify the files are there
          * popd
        * time emerge -av \>=sys-boot/grub-9999
          \ unstable grub needed for the lvmluksbtrs and grub boot being on luks
          \ 5m8s (failed with stricter, hence why -stricter now)
          \ without stricter to skip the below fail:
          \ for development use: time ebuild /usr/portage/sys-boot/grub/grub-9999-r1.ebuild merge
          \ ^ but you should have set FEATURES="keepwork keeptemp" (add them in the grub.conf file where -stricter is above) or else they'll be gone, after successful merge, from /var/tmp/portage/
          - fix failed emerge, due to executable *.module files
            \ equery w grub
            \ ebuild /usr/portage/sys-boot/grub/grub-2.02_beta2-r7.ebuild install
            \ remove .install file they say, and rerun ^
            \ get the same error; now find out how to make *.module unexecutable, if they're even needed to be installed; also, why doesn't QA_EXECSTACK from *.ebuild have effect: "This should contain a list of file paths, relative to the image directory, of objects that require executable stack in order to run. The paths may contain fnmatch patterns. This variable is intended to be used on objects that truly need executable stack " src: https://devmanual.gentoo.org/eclass-reference/ebuild/
            \ the odd thing is that only 5 files are reported, but all of them are rwx root, rx other/group
            \ TODO: fix this? https://bugs.gentoo.org/show_bug.cgi?id=539606
            - fix by getting a stable version of grub instead of devel
              \ time ACCEPT_KEYWORDS="-~amd64" emerge -av grub:2
              \ NOPE, still the same error!
        * vim /etc/default/grub
          \ :set paste
          \ only this line exists (uncommented):
          \ GRUB_DISTRIBUTOR="Gentoo"
          \ so, add more lines:
          \ GRUB_CMDLINE_LINUX="ipv6.disable=1 pnp.debug=1 loglevel=9 log_buf_len=10M printk.always_kmsg_dump=y printk.time=y mminit_loglevel=0 memory_corruption_check=1 nohz=on rcu_nocbs=1-3 fbcon=scrollback:4096k fbcon=font:ProFont6x11 apic=debug dynamic_debug.verbose=1 dyndbg=\"file arch/x86/kernel/apic/* +pflmt ; file drivers/video/* +pflmt ; file drivers/acpi/* +pflmt\" radeon.lockup_timeout=20000 radeon.test=0 radeon.benchmark=0 radeon.hard_reset=1 radeon.aspm=1 radeon.dynclks=0 radeon.dpm=1 radeon.runpm=1 rd.debug rd.udev.debug rd.memdebug=3 net.ifnames=1 dolvm console=tty1 earlyprintk=vga"
          \ # so apparently this worked: console=tty1,ttyS0,115200n8 earlyprintk=vga,serial,ttyS0,115200,keep   ALTHOUGH the ttyS0 speed seems to be 9600 or something   OK we don't use this, unless there's an error which we need to debug! the speed difference is 20.6 sec with and 3.3 sec without!
          \ # net.ifnames=0  makes eth0 remain eth0 (actually, this has no effect and it gets renamed to p2p1 when sys-apps/biosdevname is installed!)
          \ GRUB_TERMINAL_INPUT="console"
          \ GRUB_TERMINAL_OUTPUT="console" #gfxterm vga_text spkmodem
          \ # note: GRUB_TERMINAL=console overrides both _INPUT and _OUTPUT to same value
          \ #GRUB_SAVEDEFAULT=true #only when ext2, not btrfs! not when LVM also!
          \ GRUB_SAVEDEFAULT=false
          \ #XXX: ^ required to avoid "error: sparse file not allowed. Press any key to continue ..." when /boot (/but) filesystem is btrfs; https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/736743
          \ GRUB_DEFAULT=0 #not required for btrfs, but since saved doesn't make much sense unless it's like ext2(non-btrfs), 0 is ok
          \ #GRUB_DEFAULT=saved  #only when not btrfs! (eg. ext2 is ok)
          \ #//fixed: when this ^ is set(to `saved`), grub2-editenv(ran by grub2-mkconfig) will want /boot/grub/grubenv instead of the /but one; because grub2-mkconfig is running this: grub2-editenv - list  which uses default path. https://savannah.gnu.org/bugs/?group=grub (it's ssl3) bug-grub@gnu.org (latest grub binary release was in 2012, latest cvs log is from 2013, we're in 2015 now) so, I guess I should just fix this myself without reporting it(not even in gentoo bugs because they probably don't need the noise, since all are likely using /boot). Can't really use the value from ${grub_cfg} variable as that's the one from -o in command: grub2-mkconfig -o /but/grub/grub.cfg  and this way I can pull out that folder and use it inside grub2-mkconfig to call: grub2-editenv "/but/grub/grubenv" list  Without -o the config is spewed to stdout.
          \ # //fixed below, skip this: manually fix to /but/grub/ by executing this: sed -re 's|("\$\{grub_editenv\}" )(\-)( list)|\1"/but/grub/grubenv"\3|' -i grub2-mkconfig
          \ GRUB_TIMEOUT=1
          \ # ^ put a 1 sec timeout
          \ GRUB_TIMEOUT_STYLE=menu
          \ GRUB_DISABLE_RECOVERY=false
          \ GRUB_DISABLE_LINUX_UUID=false
          \ GRUB_DISABLE_OS_PROBER=true
          \ GRUB_ENABLE_CRYPTODISK=y
          \ #^ for LUKS, src: http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/
        * patch to look at /but instead of /boot
          * grubenv: patch grub2-mkconfig to use /but instead of the default /boot
            * grubenv patch TODO: add this to grub-9999-r1 patches; technically we don't need this, but only because hmm it WAS inside lvm, but now it's inside luks only, so we could use the env hmm; actually I don't remember this correctly: is it failing to save grubenv while in grub menu if the fs is btrfs or when it's lvm? anyway do this!
              * sed -re 's|("\$\{grub_editenv\}" )(\-)( list)|\1"/but/grub/grubenv"\3|' -i /usr/sbin/grub2-mkconfig
                \ the effect of this is seen when using GRUB_DEFAULT=saved
            - patch this, to correctly detect (grub)root(aka boot device eg. /dev/sda2 that is, not system root / /dev/sda3) XXX: already in patches
              * sed -re 's|(\$\{grub_probe\} --target=device )(/boot)(`")|\1/but\3|' -i /usr/sbin/grub2-mkconfig
                * if you forget to apply this, or it's reverted due to updates
                  * old what happens:
                    \ without this you will get this error(example values):
                    \ cleared screen
                    \ "
                    \ Loading Linux x86_64-3.17.7-gentoo ...
                    \ error: file `/kernel-genkernel-x86_64-3.17.7-gentoo' not found.
                    \ Loading initial ramdisk ...
                    \ error: you need to load the kernel first.
                    \
                    \ Press any key to continue...
                    \ "
                    \ (reverts back to menu after 5 sec, even though -1 is the GRUB_TIMEOUT)
                    \ and to fix it (temporarily) you have to edit the kernel and initrd lines and prepend the boot device location as: (hd0,gpt2) for example. Seen when you get into cmdline and do `ls` then `ls (hd0,gpt2)/` to see where your kernel and initrd are located in order to find the correct values for (hd0,gpt2) from the listed ones with `ls`.
                    \ this is just temporary fix to let you boot in, and overrides the wrong search lines which point to your rootfs /  eg. /dev/sda3  instead to your /boot or /dev/sda2 which they should point to, including the set root= line! the UUID is also wrongly pointing to / instead of /boot so it's not enough to just change the (hd0,gpt3) into (hd0,gpt2) where you see them. But just prepending the right, (hd0,gpt2) that is, partition to kernel and initrd lines will get you into booting the system and you now only have to fix grub2-mkconfig with the above sed command before rerunning it again to fix it
          - patch /etc/grub.d/10_linux to use /but instead of the hardcoded /boot  XXX: already in patches
            * sed -re 's|/boot/|/but/|g' -i "/etc/grub.d/10_linux"
              * what happens (with luks aka now) is: XXX: or maybe this happened because /but wasn't mounted and it put it in /but (also no grub.cfg was here) 
                \ you don't get to see the menu and you're dropped to rescue shell because prefix and root are pointing to your root partition instead of boot partition
                * to temporarily fix and boot in:
                  \ set prefix=(lvm/vgall-bootlvol)/grub
                  \ set root=(lvm/vgall-bootlvol)
                  \ insmod normal
                  \ normal
        * ensure /but is mounted:
          \ df /but (if size is like 1G then it's mounted) otherwise, you can only mount it outside of chroot (or if you're not on installCD: mount /but)
          \ needed for both grub2-* commands below
          * if it's not mounted eg. #SECONDBOOT then look for luksOpen before trying mount /but
            \ cryptsetup --verbose luksOpen /dev/sda2 luks_on_sda2_boot
            \ mount /but
            \ df /but
        * use genkernel made symlinks
          * vim /etc/grub.d/40_custom
            * add passwords
              * prepend these lines(after exec tail, ofc):
                \ set superusers="username1 username2"
                \ password user3 thisisplaintextpassword
                \ password_pbkdf2 username1 grub.pbkdf2.sha512.10000.402EB465....60C1
                \ #that's the output of this line: grub2-mkpasswd-pbkdf2 -s 512
                \ #more: info grub
                \ #that is the password for username1 which is the one that allows booting into kernel
            * add shutdown/reboot grub menu entries
              \ :set paste
              \ menuentry "System shutdown" --users user3 {
              \    echo "System shutting down..."
              \    halt
              \ }
              \
              \ menuentry "System restart" --users "" { #only superusers
              \    echo "System rebooting..."
              \    reboot
              \ }
            * add genkernel made symlinks (maybe skip this for now)
              \ FIXME: need to use LVM here
              \ using LUKS, more info: https://wiki.gentoo.org/wiki/DM-Crypt_LUKS#Genkernel.2FGenkernel-next
              \ FIXME: need to know UUID here, run blkid /dev/sda2 actually that should be the uuid of /dev/sda3 ? currently: bbf00731-3ee8-4127-82fc-b7424f851989  or should it be of lvm_on_luks_on_sda3_root ? aka pEzkC0-YngX-5GUV-2ULa-BYyA-qFWz-yfRCYT hmm probably the former!
              \ still required to manually add/update (or maybe we can use ``) kernel cmdline options
              \ menuentry "latest compiled Linux" { #only superusers
              \ set root=(hd0,0)
              \ OUTDATED: linux /kernel crypt_root=UUID=bbf00731-3ee8-4127-82fc-b7424f851989 root=/dev/mapper/lvm_on_luks_on_sda3_root ro root_trim=yes ipv6.disable=1 pnp.debug=1 loglevel=9 log_buf_len=10M printk.always_kmsg_dump=y printk.time=y memory_corruption_check=1 nohz=on rcu_nocbs=1-3 pcie_aspm=force fbcon=scrollback:4096k fbcon=font:ProFont6x11 radeon.audio=0 radeon.lockup_timeout=0 radeon.test=0 radeon.agpmode=-1 radeon.benchmark=0 radeon.tv=0 radeon.hard_reset=1 radeon.aspm=1 radeon.msi=1 radeon.pcie_gen2=-1 radeon.no_wb=1 radeon.dynclks=0 radeon.r4xx_atom=0 radeonfb radeon.fastfb=1 apic=debug earlyprintk=vga radeon.modeset=1 radeon.dpm=1 radeon.runpm=1 rd.debug rd.udev.debug rd.memdebug=3 net.ifnames=1
              \ # omitting `root=` after the `linux /kernel` line will cause a prompt for the root device to be mounted
              \ initrd /initramfs
              \ }
              \
              \ menuentry "previous(old) compiled Linux" {
              \ set root=(hd0,2)
              \ linux /kernel.old
              \ initrd /initramfs.old
              \}
              \ # note that hd0,2 is the /but /dev/sda2 device, not root / /dev/sda3
              \ while still in vim do: gg=G
              \ to indend whole file
        * grub2-install --compress=xz --target=i386-pc --recheck --debug --locales= --fonts= --boot-directory=/but --no-rs-codes --verbose -- /dev/sda 2>&1
          \ #GRUBY
          \ dev mode(used to track down bugs):
          \ # time ebuild /usr/portage/sys-boot/grub/grub-9999-r1.ebuild configure
          \ 3m18s
          \ # cd /var/tmp/portage/sys-boot/grub-9999-r1/work/grub-9999
          \ # ln -s ~/grub-9999/patches/
          \ ^ assumes quilt patches are in /root/grub-9999/patches/
          \ # quilt push -a
          \ when make clean is needed: # (cd ../grub-9999-pc; make clean) ; time ebuild /usr/portage/sys-boot/grub/grub-9999-r1.ebuild merge
          \ when just recompiling needed: # time ebuild /usr/portage/sys-boot/grub/grub-9999-r1.ebuild merge
          \ end dev mode:
          \ --verbose sets debug=all  as if that was in the grub.cfg as: set debug=all ; seen in: vim util/grub-setup.c +270  as: grub_env_set ("debug", "all");
          \ unsure if part_gpt is needed anymore (since device-mapper USE flag was added to fix this)
          \ apparently with luks+lvm+btrfs, part_gpt module isn't loaded (rescue prompt shows only hd0); at least. without device-mapper USE flag.
          \ --no-rs-codes  because GPT
          \ for when /boot: grub2-install --compress=xz --target=i386-pc --recheck --debug --locales= --fonts= -- /dev/sda 2>&1 |less
          \ kernel must be already compiled before running this (eg. if you used multiple terminals to get here)
          \ --recheck seems to have no effect on the output (diff-checked) it's probably from grub1
          \ FIXME: see why --core-compress is unrecognized (is it EFI only?)
          \ grub2-install: --core-compress: (PROGRAM ERROR) Option should have been recognized!?
          \ //FIXed: grub2-install: error: disk `lvm/vgall-bootlvol' not found.  <-- that - delimiter should be / for gentoo lvm2  - this needed lvm2 package to be installed! go figure!
          \ ^ getting this error even though I had lvm2 installed from genkernel emerge... re-emerging doesn't fix it
          \ fixed above by using lvmetad and havin /run -rbind 
          \ now no error reported except, if I look back:
          \ grub2-install: info: /dev/mapper/vgall-bootlvol is not present.
          \ grub2-install: info: guessed root_dev `lvm/vgall-bootlvol' from dir `/but/grub/i386-pc'.
          \ this is bad because it doesn't even show the grub menu
          \ the git version of grub at least fails:
          \ grub2-install: error: disk `lvm/vgall-bootlvol' not found.
          \ dayum, even with correct /etc/mtab (inside chroot) it still gives the same error: http://dpaste.com/0D1Y5C4.txt
          \ with or w/o mtab, I now get: grub2-install: error: failed to get canonical path of `/dev/mapper/vgall-bootlvol'. Nevermind, I forgot to mount /dev in chroot too.
          \ fixed (added USE flag device-mapper): http://dpaste.com/08EP4FE.txt
          \ and the log using git version of grub: http://dpaste.com/31A2AW7.txt
          \ yep not found! failed! ('cause the non-git version, wouldn't say anything but would fail to boot!)
          \ grub2-install: error: disk `lvmid/31WF5i-VxBz-zdr3-CbG5-A37g-tbac-qVYGlO/bu7oYe-uBNK-xWYQ-wIZD-fk1K-fBeb-pSkvNO' not found.
          \ the ids are correct but not sure why it won't find it
          \ so we're stuck at this: http://dpaste.com/2G47HAF.txt
          \ bug at: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1420584
          \ patches are there, but now a new issue:
          \ //lvmid/  paths are useless, grub doesn't find the volumes, unless I use lvm/vgall-bootlvol instead(XXX: turns out it detected root instead of boot and used root's lvmid as grub root-which is supposed to be the /boot for grub - it's only grub2-mkconfig doing this, and it's because /boot vs /but and I forgot to apply that patch which I already had above ^ !)
          \ //then after doing that, kernel panics and I cannot scroll up to see exactly why it tries to kill init... and this is why: https://bugzilla.kernel.org/show_bug.cgi?id=90001#c3 aka !! The ramdisk does not support LUKS   (confirmed, for some reason I ran the last genkernel command(seen from ~/.bash_history) with --no-luks
        * need to add root to kernel cmdline
          * find uuid of crypt device by:
            \ cryptsetup luksDump /dev/sda3 |grep UUID
            \ /dev/sda3 is root partition (not boot one!)
            \ so looks like this: b904d6c0-4b05-4c9f-a468-f9242faba2df
          * vim /etc/default/grub
            \ ie. prepend this to GRUB_CMDLINE_LINUX
            \ crypt_root=UUID=b904d6c0-4b05-4c9f-a468-f9242faba2df root_trim=yes rd.luks.uuid=b904d6c0-4b05-4c9f-a468-f9242faba2df rd.luks.allow-discards
            \ NOTE: for now rd. ones are not used, unless you use dracut (aka manual mode of compiling the kernel, instead of via genkernel!)
        * grub2-mkconfig -o /but/grub/grub.cfg 2>&1
          \ this generated /but/grub/grub.cfg
          \ XXX: /but needs to be mounted: mount /but
          \ XXX: run only this command(mkconfig one) if you've changed /etc/default/grub
        * ls -la /boot 
          \ should be empty!!! because used /but
          \ well there's ".keep" file from tar unpacking!
        * ls -la /but 
          \ should have the sheet!
          \ example:
          \ drwxr-xr-x 1 root root     306 Apr 15 01:38 .
          \ drwxr-xr-x 1 root root     352 Apr  9 19:34 ..
          \ drwxr-xr-x 1 root root      66 Apr 15 01:42 grub
          \ lrwxrwxrwx 1 root root      42 Apr 15 00:54 initramfs -> initramfs-genkernel-x86_64-3.18.9-hardened
          \ -rw-r--r-- 1 root root 5204228 Apr 15 00:54 initramfs-genkernel-x86_64-3.18.9-hardened
          \ lrwxrwxrwx 1 root root      39 Apr 15 00:32 kernel -> kernel-genkernel-x86_64-3.18.9-hardened
          \ -rw-r--r-- 1 root root 4310144 Apr 15 00:32 kernel-genkernel-x86_64-3.18.9-hardened
          \ lrwxrwxrwx 1 root root      43 Apr 15 00:32 System.map -> System.map-genkernel-x86_64-3.18.9-hardened
          \ -rw-r--r-- 1 root root 2302717 Apr 15 00:32 System.map-genkernel-x86_64-3.18.9-hardened

        * inspect grub.cfg a bit (should've worked if the grub patches were in place!)
          \ vim /but/grub/grub.cfg
          \ see if "set root=" is something of (blkid /dev/sda2 | grep UUID)
          \ and hint has the uuid of (blkid /dev/mapper/luks_on_sda2_boot | grep UUID) and the root in the else is the /dev/mapper/luks_on_sda2_boot uuid as reported by blkid
          \ and the root= within the linux line is root=/dev/mapper/vgall-rootlvol  and the crypt_root=UUID= on the same line that follows is ofc a totally different id than the above mentioned two because it's the blkid of the / (actual root; not the grub root which to grub is the boot device)
      * close /but luks
        * umount /but
        * cryptsetup --verbose luksClose /dev/mapper/luks_on_sda2_boot
        * when you wanna mount it later (when sys is running):
          \ cryptsetup --verbose luksOpen /dev/sda2 luks_on_sda2_boot
          \ mount /but
      * backup boot ...
        * sync; time dd if=/dev/sda2 of=/dev/mapper/vgall-bootlvolbackup bs=100M ; sync
          \ yep 537MB reported is 512M in fact (536870912 bytes (537 MB) copied, 7.76532 s, 69.1 MB/s)
          \ 21 sec at 10M (not 100) 1073741824 bytes (1.1 GB) copied, 21.0042 s, 51.1 MB/s
        * TODO: do something with this backup... dno what at this time, eg. check for modifications after having booted, even though there shouldn't be any because only grub is mounting that one at grub menu, kernel isn't mounting it! unless you manually do luksOpen later on!
      * disable some services
        * rc-update del netmount
          \ rc-update: service `netmount' is not in the runlevel `sysinit'  (or 'boot')
        - rc-update del lvm boot
      * don't clear tty1 on boot (and logout)
        * vim /etc/inittab
          \ replace line:
          \ c1:12345:respawn:/sbin/agetty 38400 tty1 linux
          \ with:
          \ c1:12345:respawn:/sbin/agetty 38400 --noclear tty1 linux
        - but clear it on logout (XXX: or not, shift+pgup will work anyway, with my patch; so this just offeres a fake sense of security)
          * be logged in as root
          * vim ~/.bash_logout
            \ new file, append line:
            \ clear
    * rebooting #REBOOT #SHUTDOWN
      * exit
      * cd
      * ensure you exited all OTHER ssh terminals
      * umount --lazy /mnt/gentoo/{dev/{shm,pts,},sys/}
        - umount --lazy /mnt/gentoo/dev/{shm,pts,} 
        - umount --lazy /mnt/gentoo/sys/
      * umount /mnt/gentoo/{but,proc,var/tmp/portage,var/tmp,tmp,run,}
        \ umount: /mnt/gentoo/but: not mounted
        \ ^ ignore that
      * in case boot wasn't closed
        \ cryptsetup --verbose luksClose /dev/mapper/luks_on_sda2_boot
      * I should luks close root too:
        \ I didn't do this once.
        * lvm needs to release it first! even tho it's unmounted
          * vgchange -an vgall
        * cryptsetup --verbose luksClose /dev/mapper/lvm_on_luks_on_sda3_root
      * sync
        \ not really needed
      * reboot & exit
        \ poweroff & exit
        \ ^ is what you do in the future (not from live cd though) to ALSO logout
        \ NOTE: doesn't matter what u had on virtualbox's console running, unless u were chrooted(but you did that yourself!)
      * remove CD from virtual drive (in virtualbox) OR it will boot from CD!!
    - if something went wrong (eg. can't mount root because no btrfs module)
      \ FIXME: this is outdated!
      * boot from liveCD
        * mount /dev/sda3 /mnt/gentoo
        * mount /dev/sda2 /mnt/gentoo/but
        - cd /mnt/gentoo
        * mount virtual stuffs into chroot
          \ more info: https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Base#Mounting_the_necessary_filesystems
          * mount -t tmpfs tmpfs /mnt/gentoo/tmp/                               
            \ OR mount -t tmpfs none /mnt/gentoo/tmp/
          * mount -t proc proc /mnt/gentoo/proc
          * mount --rbind /sys /mnt/gentoo/sys
          * mount --rbind /dev /mnt/gentoo/dev
        * net
          * pkill dhcpcd
            \ https://bugs.gentoo.org/show_bug.cgi?id=526934#c2
          * net-setup enp0s3
            \ or use ifconfig to get the interface name to pass.
            \ for DNS use 8.8.8.8 and set search to none(press enter) or *
        * chroot
          * chroot /mnt/gentoo /bin/bash
          * env-update && source /etc/profile 
            \ looks like env-update is recommended as per https://wiki.gentoo.org/wiki/FAQ#My_kernel_doesn.27t_boot.2C_what_should_I_do_now.3F
            \ I don't think it should be though.
          * export PS1="(chroot) $PS1"
        * nano -w /mnt/gentoo/etc/portage/make.conf
          \ make USE var changes ie. add btrfs
        - recompile all based on what changed in USE flags
          * emerge --update --changed-use --ask @world
          - emerge --update --deep --with-bdeps=y --newuse --ask @world
            \ don't use bdeps and deep because it compiles 42 vs 5 packages
            \ https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Portage#Updating_the_system
          * hash -r
          * env-update && source /etc/profile
          * export PS1="(chroot) $PS1"
          * emerge -p --depclean
            \ if all good and more than 0 packages to remove then, remove the -p param and rerun: emerge --depclean
          * time emerge @preserved-rebuild
            \ old cmd: revdep-rebuild
          *
        * recompile kernel with genkernel
          * genkernel --menuconfig all --bootdir="/but" --no-clean
        * see rebooting above.
    * at boot, you'll be asked for luks password for /but (sda2...) before grub menu is displayed!
      * then to boot the first entry, you'll be asked for username, enter: username1
        \ the pwd is the one you set when you ran grub2-mkpasswd-pbkdf2 above
      * don't idle too much in the grub menu and stuff, because there's no cpu cooling ... so cpu usage is 100% or something.
    * finalizing (after booted in)
      - rm /stage3-*.tar.bz2*
        \ actually keep this, just in case we wanna check the originals
      - fstrim -v --all
        \ well we haven't enabled `discard="true"` inside .vbox file so we can't use this(hdparm -I /dev/sda will not report TRIM)
      - then on host
        \ sudo fstrim -v --all
      * recompile all, based on what changed in USE flags
        * time FEATURES="-stricter" emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
          \ Total: 118 packages
          \ duration: 84m16s
          \ https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Portage#Updating_the_system
          \ running that will sometimes update kernel sources (that is, get a new set of sources for next kernel version, alongside existing ones) - to update kernel read here https://wiki.gentoo.org/wiki/Kernel/Upgrade#Installing_and_using_a_new_kernel TODO: get the steps
        * TODO: see why ncurses has 2 warnings and fails with stricter! (but then again, many many fail with stricter! and I don't have the nerve to fix/report them)
        * when you see: IMPORTANT: 2 config files in '/etc' need updating.
          \ in current case the new configs are just the default ones which we shouldn't put back (so zap new to avoid them, below)
          \ just run: dispatch-conf
          \ //to see which package owns dispatch-conf do: equery b dispatch-conf
          \ //and it's part of portage, sys-apps/portage-2.2.14
          \ it will try to apply these files(which are newer supposedly):
          \ find /etc -name '._cfg????_*'
          \ you may want to zap-new since it's likely that the new config(+++) is the default one when compared with what we've changed like /etc/locale.gen
        * hash -r && env-update && source /etc/profile
        * time emerge @preserved-rebuild
          \old name for this whole command is: revdep-rebuild
          \ rebuilds pinentry, as mentioned by the prior emerge
        * dispatch-conf
          \ z to zap new, since that's the default and we don't want that
        * time emerge -av --depclean
          \ // = old comments not in effect
          \ //if all good and more than 0 packages to remove then, remove the -p param and rerun
          \ //-p is --pretend, no needed when -a aka --ask  well unless you have some pressed keys from before(such as double enter) that will start removing... unless you're quick to C-c in the next 5 sec(countdown is shown after the answer to question is Yes)
          \ //this also removes leftover gcc 4.8.3 (which I kept until now) - not anymore, I added it to favs
        * time emerge @preserved-rebuild
          \ //again apparently there's more new ones to remove now, weird
          \ nothing more at this time
    * rc-update add dbus default
      \ no idea if I need this for anything!!
    * fontconfig (not now, but for future reference)
      \ less /usr/share/doc/fontconfig-2.11.1-r2/README.gentoo*
      \ eselect fontconfig ...
      \ ^ will overwrite /etc/fonts/fonts.conf
    * where to go from here
      \ portage: https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Portage#Welcome_to_portage
      \ USE flags & others: https://wiki.gentoo.org/wiki/Handbook:AMD64#Working_with_Gentoo
    * make sure ccache is either empty of moved to have enough ram and tmpfs space left to continue
      \ df /var/tmp
      \ choose one:
      * to move it
        * mv -v -n -t / -- /var/tmp/ccache
          \ it already has all the right permissions
        * vim /etc/portage/make.conf
          \ CCACHE_DIR="/ccache"
      * or to delete it
        * CCACHE_DIR="/var/tmp/ccache" ccache -C -z
    * get xorg
      \ https://wiki.gentoo.org/wiki/Xorg/Configuration#Input_driver_support
      \ okfixed: should use --onlydeps on this next emerge since I know the specific package will fail! aka -o
      * time emerge -avo x11-drivers/xf86-video-virtualbox
        \ first, do use ccache for all other packages (54 total currently)
        \ this does fetch all required X packages too
        \ duration: 34m31s
        \ tail -f /var/log/emerge-fetch.log
        \ ^ to see downloads progress which happen all at once at the beginning, while compilation is in progress ie. parallel downloads (forgot which FEATURES flag does this, can probably easily find though) well they are sequential, but in parallel with the compilation i mean.
        \ this is supposed to fail at the point when compiling x11-drivers/xf86-video-virtualbox  so carry on
        * temporarily switch gcc to vanilla 4.9.2 (4.8.3 will fail to compile this)
          \ is it because of the undefined symbol vgaHWFreeHWRec ? on startx in /var/log/Xorg.0.log ? yep!!
          * gcc-config -l
          * gcc-config 10
            \  [10] x86_64-pc-linux-gnu-4.9.2-vanilla *
          * source /etc/profile
          * ok just temporarily remove -Wstack-protector from /etc/portage/make.conf  CFLAGS var
            \ or else this fail:
            \ /var/tmp/portage/x11-drivers/xf86-video-virtualbox-4.3.26/work/VirtualBox-4.3.26/src/VBox/Runtime/common/checksum/RTSha1Digest.cpp: In function 'int RTSha1DigestFromFile(const char*, char**, PFNRTPROGRESS, void*)':
            \ /var/tmp/portage/x11-drivers/xf86-video-virtualbox-4.3.26/work/VirtualBox-4.3.26/src/VBox/Runtime/common/checksum/RTSha1Digest.cpp:105:15: error: stack protector not protecting local variables: variable length buffer [-Werror=stack-protector]
            \ RTR3DECL(int) RTSha1DigestFromFile(const char *pszFile, char **ppszDigest, PFNRTPROGRESS pfnProgressCallback,
            \               ^
            \ cc1plus: all warnings being treated as errors
            * ie. looks like this now:
              \ CFLAGS="-O2 -pipe -march=native -fstack-protector-all -g3"
          * time FEATURES="-ccache" emerge -av '>=x11-drivers/xf86-video-virtualbox-4.3.20'
            \ to get 4.3.26 (not 4.3.18)
            \ dispatch-conf
            \ u
            \ duration 3m34s
            \ must not use ccache, or else fails with that PIC error:
            \ "error: code model kernel does not support PIC mode"
            \ //if this fails(with the PIC error), remember PATH points to ccache's gcc, so just source /etc/profile to overwrite; but u already did source it, so this shouldn't happen!!!
            - 4.3.18 fails with something else!!!
              \ /var/tmp/portage/x11-drivers/xf86-video-virtualbox-4.3.18/work/vboxvideo_drm/vboxvideo_drm.c:125:17: error: 'drm_mmap' undeclared here (not in a function)
              \         .mmap = drm_mmap,
          * gcc-config 6
          * source /etc/profile
            \ Note: this overwrites whatever you intended to overwrite with your ~/.bashrc
          * put back the -Wstack-protector in make.conf
            * looks like this now:
              \ CFLAGS="-O2 -pipe -march=native -Wstack-protector -fstack-protector-all -g3"
      * time emerge -av x11-base/xorg-drivers
        \ emerge rest of stuff (1 packages)
        \ 9s
      * get xfce4
        \ https://wiki.gentoo.org/wiki/Xfce/HOWTO
        - add more USE flags in /etc/portage/make.conf (already added in first USE)
          \ -minimal dbus jpeg lock session startup-notification -thunar
        * add a line in make.conf
          \ XFCE_PLUGINS="brightness clock trash battery power"
          \ current list is here: https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/profiles/desc/xfce_plugins.desc?view=markup
        * time FEATURES="-stricter" emerge -1nav media-libs/netpbm
          \ 55s
        * time FEATURES="-stricter" emerge -1nav x11-libs/gdk-pixbuf
          \ nothing done!
        * time emerge -nav xfce4-meta xfce4-notifyd
          \ 61 packages! 18m56s
          \ ok just add -stricter, this is ridiculous
          \ XXX: Without explicitly including xfce-extra/xfce4-notifyd in your emerge command, virtual/notification-daemon will draw in GNOME's x11-misc/notification-daemon instead:
          - xfdesktop fails to compile (4.12.1 unstable that is)
            \ xfdesktop-xfdesktop-icon-view.o: In function `xfdesktop_icon_view_drag_drop':
            \ /var/tmp/portage/xfce-base/xfdesktop-4.12.1/work/xfdesktop-4.12.1/src/xfdesktop-icon-view.c:1617: undefined reference to `xfdesktop_dnd_menu'
            * equery m xfce-base/xfdesktop
              \ see the version prior to that (4.12.1) which is currently 4.12.0 or the stable one 4.10.2 currently.
            * time emerge -nav =xfce-base/xfdesktop-4.12.0
              \ that worked!
            * to avoid updates picking up latest version and failing
              * vim /etc/portage/package.mask/xfdesktop
                \ =xfce-base/xfdesktop-4.12.1
            * time FEATURES="-stricter" emerge -nav xfce4-meta
              \ continue...
        * time emerge -nav x11-misc/pcmanfm
          \ this wants 2 new USE flags
          \ 4m27s
          * since this updates eudev, do this:  
            * /etc/init.d/udev --nodeps restart
        * rc-update add dbus default
          \ hmm I already added this somewhere above
        * add user john to groups
          * for x in cdrom cdrw usb ; do gpasswd -a john $x ; done
        * hash -r && env-update && source /etc/profile
        * time emerge -nav x11-terms/xfce4-terminal xfce4-volumed-pulse
          \ 18 packages, 7m48s
        - time FEATURES="-stricter" emerge -nav x11-terms/xfce4-terminal
        - time emerge -nav xfce4-volumed-pulse
          \ volume keys
          \ docs from: https://wiki.gentoo.org/wiki/Xfce
      * get into john user from within the virtualbox window (not ssh!) and then:
        * echo "exec startxfce4 --with-ck-launch" > ~/.xinitrc
          \ only needed once
          \ --with-ck-launch is for Restart/Shutdown button to appear, instead of being greyed out!
        * startx
          \ I postponed this one! for later.
      * remove leftover from skel, clear command on bash logout (still as user john)
        * sudo vim /etc/skel/.bash_logout
          \ yep, we do have sudo rights
        * vim ~/.bash_logout
      * install more stuff (from the ssh, root user! normal user cannot emerge!)
        * time emerge -nav net-misc/ntp
          \ for ntpdate
          \ (in parallel with the below, duration: 3m23s)
          * ntpdate -s time.nist.gov
            \ this updates time currently (aka manually, any time you want to, independed of ntpd)
          * rc-update add ntpd default
          * vim /etc/ntp.conf
            \ server 127.127.1.0
            \ fudge  127.127.1.0 stratum 10
            \src: https://wiki.gentoo.org/wiki/Ntp
            * access to NTP service allowed only from localhost
              \ restrict default nomodify nopeer noquery limited kod
              \ restrict 127.0.0.1
            * denying access to NTP's monlist functionality, used for querying traffic stats but also exploited in a denial-of-service attack.
              \ disable monitor
          * set these in kernel to avoid having to use hwclock service (see: https://wiki.gentoo.org/wiki/Ntp )
            \ note: these were already set
            \ Device Drivers  --->
            \  [*] Real Time Clock  --->
            \      [*]   Set system time from RTC on startup and resume
            \      [*]   Set the RTC time based on NTP synchronization
        * time FEATURES="-stricter" emerge -nav xfce4-battery-plugin xfce4-sensors-plugin xfce4-mixer xfce4-taskmanager xfwm4-themes orage mousepad xfce4-power-manager
          \ 35 packages, and 1 USE change needed, duration: 14m29s
          \ done: xfce-extra/xfce4-power-manager-1.3.0 needs kernel option CONFIG_TIMER_STATS to be set: *   CONFIG_TIMER_STATS:  is not set when it should be.
        * vim /etc/portage/package.use/firefox
          \ www-client/firefox -gmp-autoupdate gstreamer pulseaudio system-jpeg system-icu system-cairo system-libvpx system-sqlite -wifi
        - first, you must move /var/tmp/ccache into root dir (aka /  not /root )
          \ it's already there!
          * and either:
            * symlink it - or u'll run out of memory! and some random compile errors would happen
            * or just temporarily modify that CCACHE_DIR in make.conf TODO:
              * vim /etc/portage/make.conf
                \ CCACHE_DIR="/ccache"
        * hash -r && env-update && source /etc/profile ; source ~/.bashrc
          \ just did this for good measure
        * time FEATURES="-stricter" emerge -nav firefox
          \ still needs 4 other USE changes, for 4 other packages!
          \ 19 packages
          \ duration: 63m3s
          \ and kernel crashed with NULL pointer dereference!
          * remember to install https://github.com/futpib/policeman instead of noscript/requestpolicy  and also install uBlock (or adblock plus?)
        * enable compositing for xfwm4
          * mkdir -p /etc/X11/xorg.conf.d/
          * vim /etc/X11/xorg.conf.d/25composite.conf (new file)
            \ Section "Extensions"
            \    Option  "Composite"  "Enable"
            \ EndSection
        * time emerge -nav xfce4-screenshooter
          \ for screenshots
        * time FEATURES="-stricter" emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world
          \ update everything, if needed, based on what USE flags changed too.
          \ does nothing currently!
        * get chromium (untested in virtualbox)
          * chromium needs kernel options(for sandbox for work):
            \ CONFIG_USER_NS which recommends CONFIG_MEMCG and CONFIG_MEMCG_KMEM
            \ recompile kernel... and then recompile chromium
          * then get it:
          \ time emerge -nav chromium
          \ wants 3 USE changes
          \ then 33 packages... duration: 175m55s or 19m2s to reemerge with ccache, to show the same error
          \ !! failed due to killed ld... because of -g3 which they say consumes large amounts of memory!
          \ yeah ccache is at 32GB after this stunt!, df was at 4GB now at 26GB (due to that btrfs compression!)
          \ recompilation after the below changes (CXXFLAGS mostly) took 129m46s
          * vim /etc/portage/package.env
            \ www-client/chromium chromium.conf
          * vim /etc/portage/env/chromium.conf
            \ USE="-bindist"
            \ ^ to allow that H.264 video, or else: * bindist enabled: H.264 video support will be disabled.
            \ CFLAGS="-O2 -pipe -march=native -Wstack-protector -fstack-protector-all"
            \ CXXFLAGS="$CFLAGS"
            \ ^ that doesn't have the -g3 one!
          * time emerge -nav chromium
        * make sensors temp show up in sensors in xfce (untested in virtualbox)
          \ src: https://wiki.gentoo.org/wiki/Lm_sensors
          * put this new USE flag:
            \ lm_sensors
          * recompile all: time FEATURES="-stricter" emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world 
            \ 2 packages: 1m15s
          * /usr/sbin/sensors-detect
            \ paste: YES  to every question, it worked fine, no lockups!
            \ /etc/conf.d/lm_sensors contains this(without comments):
            \ LOADMODULES=yes
            \ INITSENSORS=yes
            \ HWMON_MODULES="it87"
          * rc-update add lm_sensors default
          * now add the sensors xfce4-panel plugin to the panel...
        - auto login with xdm and slim (untested in virtualbox)
          \ XXX: WORKS but Restart/Shutdown buttons are greyed out!! however, with just login from agetty and startx, they show up ok(after adding the right param to startxfce4  this one: --with-ck-launch )
          \ also don't like that X is started as root!!
          \ src: https://wiki.gentoo.org/wiki/SLiM
          * time emerge -nav x11-apps/xdm
            \ in virtualbox: 4 packages 4m19s
          * rc-update add xdm default
            \ to later remove it from autostart:
            \ rc-update del xdm default
          * time emerge -nav x11-misc/slim
            \ 57s (with chromium in parallel)
            \ in virtualbox: 1m23s
            * vim /etc/conf.d/xdm
              \ DISPLAYMANAGER="slim"
          * vim /etc/slim.conf
            * find the uncommented login_cmd line
              \ replace it with:
              \ login_cmd           exec /bin/bash -login ~/.xinitrc %session
              \ ie. uncomment the above
            * autologin, add these lines:
              \ default_user        john
              \ focus_password      yes
              \ auto_login          yes
          * start it now? (should reboot instead, to be sure it works rightly)
            \ /etc/init.d/xdm start
        * rc-update del xdm default
        * set pcmanfm as desktop TODO: (untested in virtualbox)
          \ currently xfdesktop is on, and apparently sux!
          * Applications Menu (aka start menu) -> Settings -> Sessions and startup -> Application Autostart(tab)
            \ Add, name it desktop, in Command put: pcmanfm --desktop
            \ Logout and startx to see the change!
          * remove xfdesktop from being autostarted!
            \ this gets unconditionally run by /etc/xdg/xfce4/xinitrc  as line: xfdesktop&
            \ clearly we cannot remove the package owning that! aka xfce-base/xfce4-session-4.10.1-r2  because it has xfce4  xfconf and startxfce4 and etc.
            * add Application Autostart(just like pcmanfm --desktop was added above
              \ Name: kill xfdesktop
              \ Command: pkill xfdesktop
              \ seems to work fine!
        * get whisker menu (untested in virtualbox)
          * time emerge -nav xfce-extra/xfce4-whiskermenu-plugin
            \ on virtualbox: 1m12s
            \ on real: 40s
          * add it to panel via rightclick->Panel->Add New Items->Whisker Menu
            \ then move with with Rightclick on it -> Move
        * get weather plugin (untested in virtualbox)
          * time emerge -nav xfce-extra/xfce4-weather-plugin
            \ on virtualbox: 1m35s
            \ on desktop: 26s
          * add it to panel...
        * get net speed plugin (untested in virtualbox)
          * time emerge -nav xfce-extra/xfce4-netspeed-plugin
            \ on virtualbox: 3m9s
            \ on desktop: 52s
          * add it to panel...
        * add already existing orage(plugin) to Panel just like you did the above ones! (untested in virtualbox)
          * remove the old clock which has no other features on click
        * vnc, choose one(or whatever): (untested in virtualbox)
          \ but won't be available in xdm/slim start(login) screen!!
          * get vnc (x11vnc)
            * time emerge -nav x11-misc/x11vnc
              \ in virtualbox: 2m18s
              \ on desktop: 47s
            * to start it in current X to share its desktop
              \ run: x11vnc
              \ this is the better command:
              * x11vnc -localhost -no6 -noipv6 -nap -ping 5
            - to start it with the xfce session
              * go to Session and Startup -> Application Autostart
                * make new: Add
                  \ Name: vnc server
                  \ Command: the one I used above
            - not really: it's necessary to make a desktop icon to start it, because it will crash with stack smashing at some point!!
              - so do it.
              * XXX: actually I can start it from ssh, i just have to be logged in as the same user! or su
            * connect through ssh
              * ssh -p 8822 -L 55900:localhost:5900 127.0.0.20
                \ this is ssh forwarding
                \ ssh to port 8822 to remote 127.0.0.20
                \ and keep port 55900 open on localhost(aka 127.0.0.1)
                \ and whoever connects to this localhost:55900 will be forwarded through ssh(tunnel) to remote's port 5900(seen on remote as locally(on remote) connecting 127.0.0.1(of remote) to its(remote's) port 5900)
                \ so you vnc to localhost:55900
                * vncviewer 127.0.0.1:55900
                  \ and this goes through ssh so it's protected!
          - get vnc (vino)
            \ works well with current X display!!! (not starting a new hidden one!) but uses x11vnc with a bugged TLS wrapper which has to be disabled anyway, so use x11vnc instead!(through ssh tunneling = perfect)
            * time emerge -nav vino
              \ 10 packages
              \ on virtualbox: 19m7s
            * within X, start it to serve:
              * /usr/libexec/vino-server
            * see vino's settings:
              * gsettings list-recursively org.gnome.Vino
            * some bug that I cannot connect with vncviewer(realvnc and tightvnc)
              \ src: http://unix.stackexchange.com/questions/77885/how-can-i-connect-to-gnome-3-with-a-windows-vnc-client
              * gsettings set org.gnome.Vino require-encryption false
                \ that disabled encryption
                \ now realvnc's vncviewer will work, and also tightvnc's vncviewer will work too!(tested)
            * remove it?
              * time emerge -av --depclean vino
              * time emerge @preserved-rebuild
                \ nothing? ok
          - get VNC aka tightvnc (and make it work through ssh because it's otherwise plaintext)
            \ src: https://wiki.gentoo.org/wiki/TightVNC
            \ so the problem with this one is that it doesn't connect to EXISTING X, but rather starts a new one.
            * vim /etc/portage/package.use/tightvnc
              \ net-misc/tightvnc server
            * time emerge -nav net-misc/tightvnc
              \ 4m45s
              \ 10m53s in virtualbox
            * su - john
              * vncpasswd
                \ don't set a view-only password, when asked
            * vim /etc/conf.d/vnc
              \ DISPLAYS="root:0 a:0 a:1"
            * rc-update add vnc default
            * vncserver "$DISPLAY" -interface lo -localhost -nevershared -economictranslate -deferupdate 100 -httpport 20000 -depth 32 -geometry 800x600
            * fail badly
              \ missing fonts...
        * to get Shutdown/Restart buttons in xfce4 (untested in virtualbox)
          \ src: https://forums.gentoo.org/viewtopic-p-7506664.html?sid=3fc45a9a656fdef391dba30b6a269398#7506664
          * vim /home/john/.xinitrc
            \ exec startxfce4 --with-ck-launch
            \ ok this works if using startx after login from console! but not from when xdm/slim does it(startx) for me!
            \ and also I had the polkit script 10-admin.rules  (see below!)
          - rc-update add consolekit default
            \ not needed! should not be in any runlevel!
          * ok it would've worked, probably, if I had consolekit in my USE flags!! it's -consolekit by default!
            \ src: https://wiki.gentoo.org/wiki/ConsoleKit
            * vim /etc/portage/make.conf
              \ add   consolekit policykit  to USE flags!!
            * time FEATURES="-stricter" emerge --verbose --tree --update --deep --with-bdeps=y --changed-use --ask @world   
              \ 5 packages, though 7 are shown
            - rc-update add consolekit default
              \ it was already, but to be sure!
              \ not needed!! 
            * rc-update del consolekit default
              \ it's not in any runlevels and still works and is started soooo... remove it from default!
            * vim /etc/polkit-1/rules.d/10-admin.rules
              \ XXX: the buttons do appear without this, but restarting won't work - has no effect and you can see the error after X exits.
              \ src: https://wiki.gentoo.org/wiki/Polkit
              \ just this will do because my user is already in wheel group (for sudo)
              \ polkit.addAdminRule(function(action, subject) {
              \   return ["unix-group:wheel"];
              \ });
              * or use this if not in wheel group(but notice the username!! and change it accordingly):
                \ polkit.addRule(function(action, subject) {
                \    if ( ((action.id == "org.freedesktop.udisks2.filesystem-mount") ||
                \         (action.id == "org.freedesktop.consolekit.system.restart") ||
                \         (action.id == "org.freedesktop.consolekit.system.shutdown") ) &&
                \        subject.user == "emacs2") {
                \        return "yes";
                \    }
                \});
            * still nothing: restart/shutdown buttons are greyed out!!
        * setup ssh correctly (untested in virtualbox)
          - vim /etc/conf.d/sshd
            \ the default one is at: /etc/ssh/sshd_config  (well, depends on SSHD_CONFDIR setting in /etc/conf.d/sshd )
          * vim /etc/ssh/sshd_config
            \ man sshd_config
            \ start uncommenting and changing stuff as follows:
            * change Port
              \ Port 22
              \ AddressFamily inet
              \ ListenAddress 0.0.0.0
            * and the rest:
              \ Protocol 2
              \ HostKey /etc/ssh/ssh_host_ed25519_key
              - run this: /usr/bin/ssh-keygen -t ed25519 -a 120 -f /etc/ssh/ssh_host_ed25519_key -b 512
                \ don't put any passphrase
                \ 399 bytes, already existed, so don't regen!
              \ LogLevel VERBOSE
              \ LoginGraceTime 30s
              \ PermitRootLogin yes
              \ StrictModes yes
              \ MaxAuthTries 1
              \ MaxSessions 10
              \ RSAAuthentication no
              \ PubkeyAuthentication yes
              \ AuthorizedKeysFile      .ssh/authorized_key
              * put your key there:
                * # mkdir ~/.ssh
                * from host:
                  - scp -P 8822 -4vp ~/.ssh/id_ed25519.pub root@127.0.0.20:/root/.ssh/authorized_key
                    \ virtualbox
                  *
                * # ls -la ~/.ssh
                  \ -r--r--r-- 1 root root  93 Feb 21 18:49 authorized_key
                * # chmod go-rwx ~/.ssh/authorized_key
                * # ls -la ~/.ssh
                  \ -r-------- 1 root root  93 Feb 21 18:49 authorized_key
              \ RhostsRSAAuthentication no
              \ HostbasedAuthentication no
              \ IgnoreUserKnownHosts yes
              \ IgnoreRhosts yes
              \ PasswordAuthentication no
              \ PermitEmptyPasswords no
              \ ChallengeResponseAuthentication no
              \#^ yes = enables TIS Challenge/Response in SSH protocol version 1, and keyboard-interactive in SSH protocol v2
              \ UsePAM no
              \ #^ PAM not used if public key authentication is used! src: https://dev.gentoo.org/~swift/docs/security_benchmarks/openssh.html#item-xccdf_org.gentoo.dev.swift_group_config-default
              \ AllowAgentForwarding no
              \ AllowTcpForwarding yes
              \ GatewayPorts no
              \ X11Forwarding no
              \ PermitTTY yes
              \ PrintMotd no
              \ PrintLastLog yes
              \ TCPKeepAlive yes
              \ UseLogin no
              \ UsePrivilegeSeparation sandbox
              \ PermitUserEnvironment no
              \ Compression delayed
              \ ClientAliveInterval 30
              \ ClientAliveCountMax 5
              \ UseDNS no
              \ PermitTunnel point-to-point
              \ NoneEnabled no
              \ AcceptEnv LANG LC_*
              \ Ciphers aes256-ctr
              \ # Set this to the unix group whose members are allowed access
              \ #AllowGroup ssh
              \ AllowUsers root john emacs
              \ DenyUsers portage a
              \ MACs hmac-sha2-512-etm@openssh.com
              \ KexAlgorithms curve25519-sha256@libssh.org
              \ AuthenticationMethods publickey
              \ #ListenAddress 192.168.100.121
            * /etc/init.d/sshd restart
          * verify that root and emacs can connect
            \ done
        * FIXME: how to make startx not hang on `hostname -f` which it does, when internet isn't available but network is up!
          * make hostname -f  NOT DNS lookup upstream ...
            \ WOW I mean, WOW! lacking a ::1 (aka ipv6) entry in /etc/hosts will cause hostname -f to DNS lookup (AAAA? hostnamehere) that upstream!!! fml!! because USE=-ipv6
            \ in fact lacking either ipv4 or ipv6 in /etc/hosts for your hostname will cause a DNS query out.
            \ btw to test this, disconnect your LAN cable, make sure the interface is still UP (not NetworkManager making it down) and this way `hostname -f` will hang.
            * vim /etc/hosts
              \ 127.0.0.1 localhost tux
              \ ::1 localhost tux
              \ #^ those must exist! to avoid DNS queries
        * get layman for overlay management
          \ https://wiki.gentoo.org/wiki/Layman
          \ https://wiki.gentoo.org/wiki/Layman#Using_.27repos.conf.27_method_.28default_method_for_app-portage.2Flayman-2.1.0_or_later_.29
          * time emerge -nav '>=app-portage/layman-2.3.0'
            \ duration: 
            \ adds 2 unstable flags
            \ use dispatch-conf, u
            \ believe me, you don't want the stable layman! it makes you do something to make.conf the first time!
          * vim /etc/layman/layman.cfg
            * search for and set new value:
              \ auto_sync : no
              \ nocheck  : no
          * layman-updater --rebuild
            \ only (unstable) 2.3.0 (well not 2.0.0 stable) has this --rebuild option!
            \ not needed at this time but it regens /etc/portage/repos.conf/layman.conf  which is currnetly an empty file (after the above emerge and even after running this layman-updater -R command, because emerge did that too)
        * now that you have layman, get uTox
          * mask all packages in the overlay
            * mkdir /etc/portage/packages.mask/
            * vim /etc/portage/packages.mask/tox
              \ new file, contents:
              \ */*::tox-overlay
          * refresh layman's db
            * layman --fetch
          * add utox overlay
            * layman -a tox-overlay
              \ unofficial blah blah
            * time emerge --regen --jobs=4
              \ for caching the overlay too (i think?)
          - set some flags to workaround things in utox
            \ nevermind already -filter_audio in global USE flags
            - vim /etc/portage/package.env 
              \ append this line:
              \ net-im/utox tox.conf
            - vim /etc/portage/env/tox.conf
              \ #CFLAGS="$CFLAGS -g3 -O1 -DDEBUG"
              \ #CPPLAGS="$CPPLAGS -g3 -O1 -DDEBUG"
              \ #CXXLAGS="$CXXLAGS -g3 -O1 -DDEBUG"
            * 
          * time emerge -av utox
            \ this adds 2 keyword changes for 9999 aka git
            \ dispatch-conf, u
            \ rerun above emerge command
            \ duration, desktop: 3m34s 
            \ utox is fixed at commit: bdd1a009518e325a73a527da152793102b765ef6  currently! so beware when using git version to communicate between two! (different versions will fail)
            \ this is on par with tox-git commit 4ad76497881ee2a623acdedcf0ac10406208b716
          * get inside X and test if it works!
        * get lsusb
          * time emerge -nav sys-apps/usbutils
            \ 34s
        * get vlc
          * make sure qt4 USE flag is set somehow before emerging!! TODO:
        * jdk6
          * vim /etc/portage/package.use/jdk6
            \ dev-java/icedtea-bin -cups
          * mask jdk7
            \ or else it will ask you to add ~amd64 on a later --update @world
            * vim /etc/portage/package.mask/java
              \ >=virtual/jdk-1.7.0
              \ >=virtual/jre-1.7.0
          * time emerge -nav '>=virtual/jdk-1.6.0'
            \ duration: 1m49s
          * java-config --list-available-vms
            \ *)  IcedTea JDK 6.1.13.5 [icedtea-bin-6]
        * fail2ban
          * time emerge -nav net-analyzer/fail2ban
            \ vbox: 1m32s
            \ desktop: 52s
          * time emerge -nav app-admin/gamin
            \ vbox: 3m
            \ desktop: 
          * vim /etc/fail2ban/jail.d/sshd.conf
            \ [ssh-iptables]
            \ enabled  = true
            \ filter = sshd
            \ action = iptables[name=SSH, port=ssh, protocol=tcp]
            \ logpath = /var/log/sshd/current
            \ maxretry = 5 
          * rc-service fail2ban start
          * rc-update add fail2ban default
          * see status
            * fail2ban-client status
            * fail2ban-client status ssh-iptables
          * to unban IP
            \ note: when banned, every active and future connections are blocked! (eg. existing ssh sessions are hung waiting for the unban)
            * to see the IP, do either one:
              * fail2ban-client status ssh-iptables
              * iptables -v -L
            * to unban that IP
              * fail2ban-client set ssh-iptables unbanip 10.0.2.2
                \ jailname is ssh-iptables
        * descent/lotus stuff
          \ NOTE: i did not install these: games-action/d1x-rebirth games-action/d2x-rebirth  although I probably could've ...
          * vim /etc/portage/package.use/d12
            \ dev-games/physfs hog mvl
            \ media-libs/libsdl opengl
            \ media-libs/sdl-mixer midi timidity vorbis
          * vim /etc/portage/make.conf
            \ add  opengl  to USE flags!
          * time emerge -nav x11-apps/mesa-progs
            \ for testing that opengl works in X, run glxinfo and glxgears
            \ https://wiki.gentoo.org/wiki/Xorg/Hardware_3D_acceleration_guide#Introduction
            \ if you get this though:
            \ "Error: Could not set 640x480x32 opengl video mode: X11 driver not configured with OpenGL"
            \ when trying d1/d2 then you didn't have opengl USE flag set for sdl!
          * time emerge -nav media-libs/libsdl
          * time emerge -nav emerge -av media-libs/sdl-mixer
          * time emerge -av dev-games/physfs
        * to can open archives like .zip
          * time emerge -nav xarchiver
            \ dispatch-conf, u
            \ duration: 47s
        * images viewer
          * time emerge -nav viewnior
            \ duration: 29s
        * time emerge -nav pwgen
        * time emerge -nav vbindiff
          \ 35s
        * 
* TODO:
  * epic emerge conflicts? add --backtrack=30
    \ eg.
    \ time FEATURES="-stricter" emerge --verbose --tree --update --deep --backtrack=30 --with-bdeps=y --changed-use --ask @world
  * logjam updates
    \ src: https://weakdh.org/sysadmin.html
    \ looks like this after:
    \ debug1: kex: server->client aes256-ctr hmac-sha2-512-etm@openssh.com none
    \ debug1: kex: client->server aes256-ctr hmac-sha2-512-etm@openssh.com none
    * add to ssh client
      * vim /etc/ssh/ssh_config
        \ MACs hmac-sha2-512-etm@openssh.com
        \ KexAlgorithms curve25519-sha256@libssh.org
        \ i don't know if Kex* is for ssh client TOO! apparently it does!
        \ Ciphers aes256-ctr
        \ ^ should've already existed!
    * add to sshd_config
      * vim /etc/ssh/sshd_config
        \ KexAlgorithms curve25519-sha256@libssh.org
        \ that mac is already added!
        \ ensure the Kex* line doesn't appear already! if it does, overwrite it!
        \ Ciphers aes256-ctr
        \ ^ should've already existed!
  * ssh tunnel (tun)
    * vim /etc/ssh/sshd_config
      \ PermitTunnel point-to-point
    * /etc/init.d/sshd restart
    * add tun in kernel config
      \ //[*] Networking support  ---> 
      \ //Networking options  ---> 
      \ //<M>   IP: tunneling    (  not needed !)
      \ go back to main,
      \ Device Drivers  --->
      \ [*] Network device support  --->
      \ <M>     Universal TUN/TAP device driver support
      \ that is:
      \ CONFIG_TUN=m
      \ CONFIG_INET_TUNNEL=m  (auto selected and hidden - you can't select it!)
      \ CONFIG_NET_IP_TUNNEL=m (same ^)
      \ !!!!! ALSO ADD CONFIG_NF_TABLES and suboptions while you're at it!
      \ !!!! there's more see BELOW search nftables below!
      * prepare kernel for compilation (and compile it, update grub etc.)
        * cryptsetup --verbose --allow-discards luksOpen /dev/sda2 luks_on_sda2_boot
        * mount /but
        * . /etc/profile
        * time FEATURES="-ccache" genkernel all --bootdir="/but" --install --symlink --no-splash --no-mountboot --makeopts="-j4 V=0" --no-keymap --lvm  --no-mdadm --no-dmraid --no-zfs --no-multipath --no-iscsi --disklabel --luks --no-gpg --no-netboot --no-unionfs --kernname=genkernel --no-firmware --no-integrated-initramfs --compress-initramfs --compress-initrd --compress-initramfs-type=best --loglevel=5 --color --no-clean --oldconfig --no-mountboot --no-postclear
          \ so apparently if --kernname=^Cnkernel (yes ^C the two chars!) then on boot it will fail to load most modules and thus luks device will not be able to mount (so no password asked, just some error which doesn't seem related to module not being loaded)
        * grub2-mkconfig -o /but/grub/grub.cfg 2>&1
        * umount /but
        * cryptsetup --verbose luksClose /dev/mapper/luks_on_sda2_boot 
      * add tun module to autoload
        \ this isn't needed, as ssh -w 5:5 (that part) autoloads the module itself(somehow) but this is for when you need to have the tun interface already loaded for briging up interface before ssh does the -w part!
        * vim /etc/conf.d/modules
          \ modules="tun"
          \ just make sure there isn't a modules=  line already! if so, add to it instead!
        * vim /etc/conf.d/net
          \ tuntap_tun5="tun"
          \ config_tun5="192.168.244.1/24"
        * ln -s /etc/init.d/net.lo /etc/init.d/net.tun5
        * rc-update add net.tun5
      * reboot for this kernel to have any effect!
    * start the tun via ssh, example from client PC (yes this should reside on my client PC, to run whenever I wanna establish utox connection, before running utox):
      \ src: https://wiki.archlinux.org/index.php/VPN_over_SSH
      \ sudo ssh \
      \  -o PermitLocalCommand=yes \
      \  -o LocalCommand="sudo ifconfig tun3 192.168.244.2 pointopoint 192.168.244.1 netmask 255.255.255.0" \
      \  -o ServerAliveInterval=60 \
      \  -w 3:5 root@127.0.0.19 -p 8822 \
      \  'sudo ifconfig tun5 192.168.244.1 pointopoint 192.168.244.2 netmask 255.255.255.0; echo tun5 ready'
      \ then C-c when done - it auto closes ssh and tun devices
    * recompile tox/utox
      * layman -s tox-overlay
        \ bring up to date the repo
      * make sure the patches are in place in /etc/portage/patches
      * time emerge -av tox utox
      - run DHT_bootstrap in /root
        \ this is temporary, a script will manage this
      - run utox after startx which will connect to this DHT node.
        \ this is temporary
      * NOTE: if sound is lower pitched it's because of this:
        \ [   24.040933] snd_intel8x0 0000:00:05.0: clocking to 48000
        \ not always being 48000 but rather something like 41131 (or something)
        \ only happens in virtualbox (so far)
    * need dig command for own IP lookup
      * time emerge -nav net-dns/bind-tools
  * deny router access via nft firewall
    * get nft command
      * time emerge -nav net-firewall/nftables
        * recompile kernel with CONFIG_NF_TABLES set ! (see above on how to recompile)
          \ and who knows what others! all its suboptions
          \ also, inside of: IP: Netfilter Configuration  --->
          \ <M> ARP packet logging 
          \ <M> IPv4 packet logging
          \ <M>   IPv4 nf_tables route chain support
          \ and CONFIG_NF_TABLES_ARP aka ARP nf_tables support
          \ and <M> IPv4 NAT and suboptions
          \ and outside, in:
          \ <M>   Ethernet Bridge nf_tables support  --->
          \ and all its suboptions!
          \ outside, in  Core Netfilter Configuration  --->
          \ [*] NFQUEUE integration with Connection Tracking
          \ <M>   LOG target support
    * cp /home/emacs/routerdeny.nft /var/lib/nftables/rules-save
      \ this is ignored: /etc/conf.d/nftables.rules
      \ new file (should not already exist)
      \ /home/emacs/routerdeny.nft was scp-ed by you:
      \ eg. on host: scp -P 8822 -4vp ~/routerdeny.nft root@127.0.0.19:/home/emacs/
    * 
    * rc-update add nftables default
  - remove rsync soon after chroot, AND in admincd
    \ nevermind...
    \   net-misc/rsync-3.1.1 pulled in by:
    \    @system requires net-misc/rsync
    \    sys-apps/portage-2.2.18 requires >=net-misc/rsync-2.6.4
  * don't forget to copy host's /etc/gitconfig aka git config --list --system
  * colordiff
    \ time emerge -avn app-misc/colordiff
  * ufed to tidy up use flags
      \ when you run it you get a menu with all flags, can save changes (in make.conf)
      \ "ufed edits the USE flag settings in your make.conf file only. It can not be used to edit your  package.use file."
    * time emerge -avtn app-portage/ufed
      \ 1m8s
  * word diffs with wdiff
    - (not needed) time emerge -navt app-text/wdiff
    * get git wdiff alias
      \ there's wdiff in git already as: git diff --color-words
      \ src: https://idnotfound.wordpress.com/2009/05/09/word-by-word-diffs-in-git/
      * git config --global alias.wdiff "diff --color-words"
        \ you may check ~/.gitconfig  for [alias] section
  - switch to john user as soon as possible to compile stuff as non-root !
    \ ok this doesn't work, emerge -S can be used by non-root(non-sudoed) users or anything with --pretend  but it won't allow normal use to install packages! so userpriv is the only thing that works in this context even though ./configure will run as root and that's why ccache need that CCACHE_UMASK="0002" env var!
    * use $ and # in front of commands (here in this .wofl file)
    * use another ssh session for the non-root user and only emerge stuff from within it.
  - get quilt for generating patches
    \ how to use: http://www.mpagano.com/blog/?p=25
  * patch emerge to NOT copy to the destination if the file exists(in case of re-emerges) and it has the same contents (ie. by checksum comparison, or diff comparisions) - also check if it removes files from previous emerge when reemerging, or it leaves them untouched before copying over them.
  - install pfl and use  e-file cmdhere  instead of  equery b cmdhere  to find out which (non-installed!) package provides the command
    \ https://wiki.gentoo.org/wiki/Pfl
  * holyf that kexec works http://gentoo-en.vfose.ru/wiki/Kexec
    - keyboard was locked up due to Shift+PgUp/Dn attemps which didn't work, after and while a reboot with kexec but apparently works ok if instead is left alone(not press keys) until booted to login prompt. XXX: locks up due to RShift being held down (likely during kexec boot, but not during boot) https://bugzilla.kernel.org/show_bug.cgi?id=92881
  - add mosh and tmux to replace ssh
    * actually use mosh instead of ssh
  * zfs lacks TRIM https://github.com/zfsonlinux/zfs/pull/1016
    * when TRIM is implemented, then you can consider using ZFS, but be aware that they are not very active in fixing bugs ie. https://github.com/zfsonlinux/zfs/labels/Bug%20-%20Major
      \ https://pthree.org/2012/12/04/zfs-administration-part-i-vdevs/
      \ http://www.solarisinternals.com/wiki/index.php/ZFS_Evil_Tuning_Guide#Overview
      \ http://www.solarisinternals.com/wiki/index.php/ZFS_Best_Practices_Guide
      \ https://wiki.gentoo.org/wiki/ZFS
      \ https://en.wikipedia.org/wiki/ZFS#Features
  * make separate /boot partition that's luks with a different key - ie. different luks device than root
  * make 4G btrfs LVM root and resize it later after install
    \ to train myself how to resize it
    \ I think I need to boot from livecd, or online resizing works? hmm
    \ https://wiki.gentoo.org/wiki/LVM#Extend_LV
    \ btrfs filesystem resize max /mnt
    \ src: http://www.funtoo.org/BTRFS_Fun
    \ "And yes, it is an on-line resize, there is no need to umount/shrink/mount."
  * ensure cpu firmware is included in kernel (this may not be needed inside virtualbox)
  * check grub2-install param --pubkey and see if it applies for non-EFI too
    \ to boot signed kernel
    \ "--pubkey=FILE  embed FILE as public key for signature checking"
    \ see: info grub  18.2 Using digital signatures in GRUB
    * can I run coreboot inside virtualbox? what about in other emulators?
      \ apparently not in virtualbox, yet, but yes in QEMU
  - enable debug USE flag
    \ http://www.gentoo.org/proj/en/qa/backtraces.xml
    \ XXX: only enable this flag per package, never globally (don't put it in USE in /etc/portage/make.conf)
  - ccache
    \ emerge --ask dev-util/ccache
    \ more to do: https://wiki.gentoo.org/wiki/Handbook:AMD64/Working/Features#Caching_compilation_objects
  - don't make /home on separate partition because btrfs would be less effective this way
  - /var/tmp must be like /tmp  - tmpfs !
    \ ONLY for when enough ram is available, apparently only 50% (2G out of 4G) RAM is used for any tmpfs, by default !
    * find a way to use 75% of RAM with any tmpfs
  - emerge --ask app-crypt/gnupg
    \ to have gpg inside chroot !
  - add sshd early so we can actually copy/paste!
    \ /etc/init.d/sshd start
  * see FIXME ones
  * emerge --color y --search something | less -R
  * use eix instead of emerge --search
    \ more info: https://wiki.gentoo.org/wiki/Eix
    \ search is way faster ie. eix kernel  or  eix -S -c corba
    * emerge -a eix
      \ 5m24s
    - but DON'T use eix-sync -w -v  WARNING: because it can't keep the downloaded file as emerge-webrsync -k could! (I don't see an option to pass -k to it)
      \ will do emerge-webrsync (instead of emerge --sync) which is the only thing we want since it checks gpg signature (when webrsync-gpg option is set in FEATURES)
      \ but since can't pass -k then don't use it!
      - DON'T use emerge-delta-webrsync
        \ Looking for available base versions for a delta
        \ no base found.  resorting to pulling a full version
        \ uhmmmm
        \ also it doesn't download or check gpgsig!!!
        * emerge --ask emerge-delta-webrsync
        * eix-sync -W -v
          \ -W to use it
  * read cheat sheet
    \ https://wiki.gentoo.org/wiki/Gentoo_Cheat_Sheet
  * when in X, get to this: XDG cache to tmpfs
    \ https://wiki.gentoo.org/wiki/SSD#XDG_cache
  * SSD optimizations
    * read and apply some stuff from here:
      \ https://wiki.gentoo.org/wiki/SSD#Considerations
  - TODO: remove unicode USE flag, for the next install/try
    \ -unicode
  * get a new kernel .config stripped for virtualbox (lots of work/time)
  * make genkernel build kernel inside RAM instead of /usr/src/linux - this only makes sense when using ccache, otherwise we do want to keep object files around to reduce compilation time next time genkernel --no-clean is ran.
    \ 1.2G used after compilation
    \ OR/AND TODO: just skip using genkernel and do it manually
    \ https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/Kernel
  - add reboot/shutdown users
  - ensure tmpfs are mounted in fstab
    - find out how to rbind /tmp to /var/tmp inside /etc/fstab
      \ http://backdrift.org/how-to-use-bind-mounts-in-linux
      \ XXX: actually I don't want to do this, because if /tmp and /var/tmp are the same then I won't know if a certain existing file was created in /tmp or in /var/tmp and besides this doesn't use any extra RAM
  * make sure kernel has Whirlpool support, not just sha stuff
  * check out LUKS
    \ https://wiki.gentoo.org/wiki/DM-Crypt_LUKS
    \ info grub  - can boot from luks
  * check out gpg luks
    \ man 7 dracut.cmdline search for rd.luks.key
  * grub gpg signed kernel
    \ https://balu-wiki.readthedocs.org/en/latest/linux/grub2.html#boot-only-signed-kernel-and-ramdisk
    \ info grub
  * find a way to make emerge show FEATURES too, when emerge --ask --verbose  , not just USE flags
  * remove that SYNC line from make.conf at the right point and write it in this .wofl
  * don't actually use discard flag, use fstrim instead, because just in case I wanna recover some recently accidentally deleted file but also because deleting a ton of files at once is freezy
